Edit tour

Windows Analysis Report
Payment.exe

Overview

General Information

Sample name:	Payment.exe
Analysis ID:	1428410
MD5:	88e1a2d19bd93d64e6a3675c404bf424
SHA1:	4199075cc9c375b7a1dd85ab701e5fab010136eb
SHA256:	16b790ad37c38e92e2f7b102d2d622dd6a1e51f9614c72f404272536e4785be1
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment.exe (PID: 1528 cmdline: "C:\Users\user\Desktop\Payment.exe" MD5: 88E1A2D19BD93D64E6A3675C404BF424)

RegSvcs.exe (PID: 5836 cmdline: "C:\Users\user\Desktop\Payment.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.italiacanda-it.com", "Username": "snpss@italiacanda-it.com", "Password": "dsrociz1               "}

Threatname: RedLine

{"C2 url": ["smtp.italiacanda-it.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2525290026.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.2525290026.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BE 88 44 24 2B 88 44 24 2F B0 20 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BE 88 44 24 2B 88 44 24 2F B0 20 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x406a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40717:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x407a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40833:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4089d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4090f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x409a5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40a35:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f82f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8b9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fabd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000A.00000002.2529262570.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2529262570.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2529262570.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5836	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BE 88 44 24 2B 88 44 24 2F B0 20 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BE 88 44 24 2B 88 44 24 2F B0 20 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.Payment.exe.1110000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.Payment.exe.1110000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BE 88 44 24 2B 88 44 24 2F B0 20 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.RegSvcs.exe.2cdffd6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.2cdffd6.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.2cdffd6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.2cdffd6.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da2f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dab9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcbd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x406a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40717:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x407a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40833:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4089d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4090f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x409a5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40a35:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.2ec0ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.2ec0ee8.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.2ec0ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.2ec0ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da2f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dab9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcbd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.2cdf0ee.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.2cdf0ee.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.2cdf0ee.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.2cdf0ee.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e8a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e917:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e9a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ea33:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ea9d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eb0f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eba5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ec35:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.3fc3390.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.3fc3390.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.3fc3390.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.3fc3390.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da2f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dab9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcbd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.2ec0000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.2ec0000.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.2ec0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.2ec0000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x406a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40717:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x407a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40833:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4089d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4090f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x409a5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40a35:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.2cdffd6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.2cdffd6.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.2cdffd6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.2cdffd6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f82f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8b9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fabd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.5590000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.5590000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.5590000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.5590000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da2f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dab9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcbd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f82f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8b9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fabd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.3f76458.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.3f76458.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.3f76458.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.3f76458.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8c6f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f82f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8c767:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8b9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c7f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c883:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c8ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8c95f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fabd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8c9f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8ca85:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.3fc3390.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.3fc3390.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.3fc3390.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.3fc3390.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f82f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8b9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fabd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.3f75570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.3f75570.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.5590000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.5590000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.5590000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.3f75570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.5590000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f82f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8b9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fabd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.3f75570.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e8a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e917:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e9a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ea33:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ea9d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eb0f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eba5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ec35:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.2ec0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.2ec0000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.2ec0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.2ec0000.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e8a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e917:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e9a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ea33:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3ea9d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eb0f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eba5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ec35:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.3f76458.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.3f76458.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.3f76458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.3f76458.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9bd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da2f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dab9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc27:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcbd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd4d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.RegSvcs.exe.3f75570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.3f75570.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.RegSvcs.exe.3f75570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegSvcs.exe.3f75570.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x406a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8d5dd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40717:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8d64f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x407a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8d6d9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40833:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8d76b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4089d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8d7d5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4090f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8d847:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x409a5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8d8dd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40a35:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8d96d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 65 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5836, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49700

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["smtp.italiacanda-it.com"]}
Source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.italiacanda-it.com", "Username": "snpss@italiacanda-it.com", "Password": "dsrociz1 "}

Multi AV Scanner detection for submitted file

Source: Payment.exe

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: Payment.exe

Joe Sandbox ML: detected

Source: Payment.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49699 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment.exe, 00000001.00000003.1286030143.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Payment.exe, 00000001.00000003.1278258580.00000000039F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment.exe, 00000001.00000003.1286030143.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Payment.exe, 00000001.00000003.1278258580.00000000039F0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00804696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00804696
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0080C9C7
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080C93C FindFirstFileW,FindClose,	1_2_0080C93C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0080F200
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0080F35D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0080F65E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00803A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00803A2B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00803D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00803D4E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0080BF27

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: smtp.italiacanda-it.com

Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 208.91.199.223:587

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 208.91.199.223:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_008125E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_008125E2

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: RegSvcs.exe, 0000000A.00000002.2529262570.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000A.00000002.2529262570.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.italiacanda-it.com
Source: RegSvcs.exe, 0000000A.00000002.2529262570.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: RegSvcs.exe, 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 0000000A.00000002.2529262570.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 0000000A.00000002.2529262570.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 0000000A.00000002.2529262570.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49699 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, K6raBsUk6.cs

.Net Code: _1kx

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_0081425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_0081425A

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_00814458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00814458

Source: C:\Users\user\Desktop\Payment.exe

1_2_0081425A

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_00800219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_00800219

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_0082CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_0082CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.Payment.exe.1110000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.RegSvcs.exe.2cdffd6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.2ec0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.2cdf0ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.3fc3390.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.2ec0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.5590000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.3f75570.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.2ec0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.3f76458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.RegSvcs.exe.3f75570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.2525290026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Payment.exe	Code function: This is a third-party compiled AutoIt script.	1_2_007A3B4C
Source: Payment.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment.exe, 00000001.00000000.1266137154.0000000000855000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5406aca6-f
Source: Payment.exe, 00000001.00000000.1266137154.0000000000855000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_676964ee-c
Source: Payment.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3829d69a-5
Source: Payment.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_71e51ea6-d

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment.exe

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_008040B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

1_2_008040B1

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007F8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_007F8858

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_0080545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_0080545F

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007AE800	1_2_007AE800
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007CDBB5	1_2_007CDBB5
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007AE060	1_2_007AE060
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0082804A	1_2_0082804A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007B4140	1_2_007B4140
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007C2405	1_2_007C2405
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007D6522	1_2_007D6522
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007D267E	1_2_007D267E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00820665	1_2_00820665
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007B6843	1_2_007B6843
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007C283A	1_2_007C283A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007D89DF	1_2_007D89DF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00820AE2	1_2_00820AE2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007B8A0E	1_2_007B8A0E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007D6A94	1_2_007D6A94
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007FEB07	1_2_007FEB07
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00808B13	1_2_00808B13
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007CCD61	1_2_007CCD61
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007D7006	1_2_007D7006
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007B710E	1_2_007B710E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007B3190	1_2_007B3190
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007A1287	1_2_007A1287
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007C33C7	1_2_007C33C7
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007CF419	1_2_007CF419
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007C16C4	1_2_007C16C4
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007B5680	1_2_007B5680
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007C78D3	1_2_007C78D3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007B58C0	1_2_007B58C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007C1BB8	1_2_007C1BB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007D9D05	1_2_007D9D05
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007AFE40	1_2_007AFE40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007CBFE6	1_2_007CBFE6
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007C1FD0	1_2_007C1FD0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_01103640	1_2_01103640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040DC11	10_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00407C3F	10_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00418CCC	10_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00406CA0	10_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004028B0	10_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0041A4BE	10_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00418244	10_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00401650	10_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00402F20	10_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004193C4	10_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00418788	10_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00402F89	10_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00402B90	10_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004073A0	10_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00BB7300	10_2_00BB7300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00BB4820	10_2_00BB4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00BB7CD4	10_2_00BB7CD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00BBD5B0	10_2_00BBD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00BB5A68	10_2_00BB5A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00BB8B91	10_2_00BB8B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B5DA00	10_2_02B5DA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B5CDE8	10_2_02B5CDE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B51030	10_2_02B51030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B5102F	10_2_02B5102F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B5D130	10_2_02B5D130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06975248	10_2_06975248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06970040	10_2_06970040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_069761D0	10_2_069761D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0697A100	10_2_0697A100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_069783D0	10_2_069783D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06971138	10_2_06971138

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Payment.exe	Code function: String function: 007C0D27 appears 70 times
Source: C:\Users\user\Desktop\Payment.exe	Code function: String function: 007A7F41 appears 35 times
Source: C:\Users\user\Desktop\Payment.exe	Code function: String function: 007C8B40 appears 42 times

Source: Payment.exe, 00000001.00000003.1286030143.0000000003CBD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe
Source: Payment.exe, 00000001.00000003.1285265918.0000000003B13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe
Source: Payment.exe, 00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Payment.exe

Source: Payment.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.Payment.exe.1110000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.RegSvcs.exe.2cdffd6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.2ec0ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.2cdf0ee.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.3fc3390.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.2ec0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.5590000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.3f75570.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.2ec0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.3f76458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.RegSvcs.exe.3f75570.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000A.00000002.2525290026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, c2bZQnG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, c2bZQnG.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/5

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_0080A2D5 GetLastError,FormatMessageW,

1_2_0080A2D5

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007F8713 AdjustTokenPrivileges,CloseHandle,		1_2_007F8713
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007F8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_007F8CC3

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_0080B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_0080B59E

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_0081F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0081F121

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_008186D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

1_2_008186D0

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007A4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_007A4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Payment.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut1FF7.tmp

Jump to behavior

Source: Payment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Payment.exe "C:\Users\user\Desktop\Payment.exe"
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment.exe"
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Payment.exe

Static file information: File size 1186304 > 1048576

Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment.exe, 00000001.00000003.1286030143.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Payment.exe, 00000001.00000003.1278258580.00000000039F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment.exe, 00000001.00000003.1286030143.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Payment.exe, 00000001.00000003.1278258580.00000000039F0000.00000004.00001000.00020000.00000000.sdmp

Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_0081C304 LoadLibraryA,GetProcAddress,

1_2_0081C304

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007AC590 push eax; retn 007Ah	1_2_007AC599
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007C8B85 push ecx; ret	1_2_007C8B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0041C40C push cs; iretd	10_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00423149 push eax; ret	10_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0041C50E push cs; iretd	10_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004231C8 push eax; ret	10_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040E21D push ecx; ret	10_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0041C6BE push ebx; ret	10_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B54A1E push ds; ret	10_2_02B54A1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B54313 pushfd ; iretd	10_2_02B54319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_02B54896 push edx; ret	10_2_02B5489C

Source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'd3Thsd2F8VBcn', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'd3Thsd2F8VBcn', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'd3Thsd2F8VBcn', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'd3Thsd2F8VBcn', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'd3Thsd2F8VBcn', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007A4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_007A4A35
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_008255FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_008255FD

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007C33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_007C33C7

Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 10_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

10_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1044			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8779			Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-99925

Source: C:\Users\user\Desktop\Payment.exe

API coverage: 4.5 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00804696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00804696
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0080C9C7
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080C93C FindFirstFileW,FindClose,	1_2_0080C93C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0080F200
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0080F35D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0080F65E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00803A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00803A2B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00803D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00803D4E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_0080BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0080BF27

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007A4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007A4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93954	Jump to behavior

Source: RegSvcs.exe, 0000000A.00000002.2527827963.000000000126D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payment.exe	API call chain: ExitProcess graph end node	graph_1-98082
Source: C:\Users\user\Desktop\Payment.exe	API call chain: ExitProcess graph end node	graph_1-98279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_008141FD BlockInput,

1_2_008141FD

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007A3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_007A3B4C

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007D5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_007D5CCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

10_2_004019F0

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_0081C304 LoadLibraryA,GetProcAddress,

1_2_0081C304

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_01103530 mov eax, dword ptr fs:[00000030h]	1_2_01103530
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_011034D0 mov eax, dword ptr fs:[00000030h]	1_2_011034D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_01101ED0 mov eax, dword ptr fs:[00000030h]	1_2_01101ED0

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007F81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_007F81F7

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007CA364 SetUnhandledExceptionFilter,	1_2_007CA364
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_007CA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_007CA395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004123F1 SetUnhandledExceptionFilter,	10_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C2D008

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007F8C93 LogonUserW,

1_2_007F8C93

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007A3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_007A3B4C

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007A4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_007A4A35

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_00804EC9 mouse_event,

1_2_00804EC9

Source: C:\Users\user\Desktop\Payment.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Payment.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

1_2_007F81F7

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_00804C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00804C03

Source: Payment.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Payment.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007C886B cpuid

1_2_007C886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

10_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007D50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_007D50D7

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007E2230 GetUserNameW,

1_2_007E2230

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007D418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_007D418A

Source: C:\Users\user\Desktop\Payment.exe

Code function: 1_2_007A4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_007A4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2529262570.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2529262570.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5836, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment.exe.1110000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2525290026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Payment.exe	Binary or memory string: WIN_81
Source: Payment.exe	Binary or memory string: WIN_XP
Source: Payment.exe	Binary or memory string: WIN_XPe
Source: Payment.exe	Binary or memory string: WIN_VISTA
Source: Payment.exe	Binary or memory string: WIN_7
Source: Payment.exe	Binary or memory string: WIN_8
Source: Payment.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2529262570.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5836, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2529262570.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2529262570.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5836, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdf0ee.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2cdffd6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3fc3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.5590000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.2ec0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f76458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.3f75570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment.exe.1110000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2525290026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00816596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_00816596
Source: C:\Users\user\Desktop\Payment.exe	Code function: 1_2_00816A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00816A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	48 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment.exe	39%	ReversingLabs	Win32.Trojan.Strab
Payment.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.198.143	true	false	high
api.ipify.org	104.26.13.205	true	false	high
smtp.italiacanda-it.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
smtp.italiacanda-it.com	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	RegSvcs.exe, 0000000A.00000002.2529262570.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.dyn.com/	RegSvcs.exe, 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://smtp.italiacanda-it.com	RegSvcs.exe, 0000000A.00000002.2529262570.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://api.ipify.org/t	RegSvcs.exe, 0000000A.00000002.2529262570.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://us2.smtp.mailhostbox.com	RegSvcs.exe, 0000000A.00000002.2529262570.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000A.00000002.2529262570.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.225	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.223	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
208.91.199.224	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428410
Start date and time:	2024-04-18 22:35:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 59 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Payment.exe

Simulations

Behavior and APIs

Time	Type	Description
22:36:06	API Interceptor	355562x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.143	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse
	rks18.doc	Get hash	malicious	AgentTesla	Browse
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse
	J1odVFynAz.exe	Get hash	malicious	AgentTesla	Browse
	Doc via Dhl.exe	Get hash	malicious	AgentTesla	Browse
	Quote.exe	Get hash	malicious	AgentTesla	Browse
208.91.199.225	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse
	rks18.doc	Get hash	malicious	AgentTesla	Browse
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse
	J1odVFynAz.exe	Get hash	malicious	AgentTesla	Browse
	Doc via Dhl.exe	Get hash	malicious	AgentTesla	Browse
	Quote.exe	Get hash	malicious	AgentTesla	Browse
208.91.199.223	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse
	rks18.doc	Get hash	malicious	AgentTesla	Browse
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse
	J1odVFynAz.exe	Get hash	malicious	AgentTesla	Browse
	Doc via Dhl.exe	Get hash	malicious	AgentTesla	Browse
104.26.13.205	SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	ArenaWarSetup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RATX-gen.31127.4101.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	rks18.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	J2TDUpZm2s.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	J1odVFynAz.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Doc via Dhl.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Quote.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
api.ipify.org	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	hesaphareketi-01.pdf.SCR.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	SHIPPING DOCUMENTS_PDF..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Payment Advice.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Scan-IMG PO Order CW289170-A CW201.bat.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	TransactionSummary_910020049836765_110424045239.xlsx	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F723838674.vbs	Get hash	malicious	Remcos	Browse	116.206.104.215
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Bill-Transcript_6ZB6-IJYD3B-SEH0.html	Get hash	malicious	Unknown	Browse	45.113.122.212
	rks18.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	116.206.104.215
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
CLOUDFLARENETUS	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	wFtZih4nN9.elf	Get hash	malicious	Mirai	Browse	104.28.24.146
	https://nwcchicago-my.sharepoint.com/:b:/p/jpsanavaitis/EZA36vHeUQxCnJ96O418g94BWiWpCx4SyNTLHION5X1T7g?e=N00DO7	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FBigge/aDRmd79087aDRmd79087aDRmd/ZHN3ZWF6YUBiaWdnZS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	172.67.206.230
	https://dinamicconsultores.app.questorpublico.com.br/	Get hash	malicious	HTMLPhisher	Browse	104.21.235.213
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	172.67.206.230
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	172.67.206.230
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
PUBLIC-DOMAIN-REGISTRYUS	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F723838674.vbs	Get hash	malicious	Remcos	Browse	116.206.104.215
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Bill-Transcript_6ZB6-IJYD3B-SEH0.html	Get hash	malicious	Unknown	Browse	45.113.122.212
	rks18.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	116.206.104.215
PUBLIC-DOMAIN-REGISTRYUS	Syknivkloo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F723838674.vbs	Get hash	malicious	Remcos	Browse	116.206.104.215
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PURCHASE ORDER -HDPESD.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	162.215.248.214
	Bill-Transcript_6ZB6-IJYD3B-SEH0.html	Get hash	malicious	Unknown	Browse	45.113.122.212
	rks18.doc	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PayFmc6FL4.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	116.206.104.215
	DHL 0028374.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Gcerti Quote.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.13.205
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	hesaphareketi-01.pdf.SCR.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Request for Proposal Quote_2414976#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	104.26.13.205
	Signed Proforma Invoice 3645479_pdf.vbs	Get hash	malicious	FormBook	Browse	104.26.13.205
	F723838674.vbs	Get hash	malicious	Remcos	Browse	104.26.13.205
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	SHIPPING DOCUMENTS_PDF..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	data
Category:	dropped
Size (bytes):	268288
Entropy (8bit):	7.863362241110921
Encrypted:	false
SSDEEP:	6144:Uxr1TCETnEUOUJ+XxP/6H06/Jrcnb/6A/mybDU4jq1bEQQazy:OrBBEUx2qHnrcnbCA/mwVjRBp
MD5:	BF77F3A2A1B62DB3202AFEDE7F1EB1A7
SHA1:	41DB92091632564F5170198299C7B82C7262C54F
SHA-256:	FE79BC3A664984FC1B9D72D6EF7F11E3410CBE242BADA02396ED6D885ADF9426
SHA-512:	3B3F7D2C20FC3F50180D54DD2E4856FE4DD61D3BD924EB8295B3599203FECAE397C2C1BF67B1A3A039826246DA5ED907C109441CB5954EB73337FCE6BFBD295C
Malicious:	false
Reputation:	low
Preview:	.h.GMM1GIOZR..O2.GNM1GMO.RK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YG.M1GCP.\K.F.x.O..f.'3!kE=]>5/ .$,!4=?.-Wy5;#..#o...."]="`@<MiOZRK5O21W.`.6.1v#.KcC.9\|nN9r>.,@..Lr6.3.6.1.#.K}.79R<.9.l3,.D.Lkd53.6.1.;(]cC.9NM1GMOZRK5O2YGNM4.F)ZRK5.wYG.L5G9.Z.K5O2YGNM.GnNQSB5O.XGN13GMOZRd.O2YWNM1.LOZR.5O"YGNO1GHOZRK5O2\GNM1GMOZ2O5O6YG.v3GOOZ.K5_2YWNM1G]OZBK5O2YG^M1GMOZRK5O2.RLMaGMOZ2I5..XGNM1GMOZRK5O2YGNM1GMOZRK5..XGRM1GMOZRK5O2YGNM1GMOZRK5O2YG.@3G.OZRK5O2YGNM1.LO.SK5O2YGNM1GMOZRK5O2YGNM1GMOt&.M;2YGV.0GM_ZRK.N2YCNM1GMOZRK5O2YGnM1'c=>3?TO2.*NM1.LOZ<K5O.XGNM1GMOZRK5O2.GN..#,;;RK5..YGNm3GMYZRK?M2YGNM1GMOZRK5.2Y.`?B5.OZR..N2Y'LM1.LOZrI5O2YGNM1GMOZR.5OrYGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM1GMOZRK5O2YGNM

C:\Users\user\AppData\Local\Temp\aut1FF7.tmp

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	data
Category:	dropped
Size (bytes):	265598
Entropy (8bit):	7.977819531829788
Encrypted:	false
SSDEEP:	6144:UnHO0hNvbHckX7KQVCwhuVC6CV3FERX8cPRDRc9osAAZOib6h:UBh9TckGahIG3eXRXc9osAdic
MD5:	3488993D4855B839C8D37DF515F214D7
SHA1:	9EE8ABBA58FAB8C7A95B19292C7DCBDB9BB8429E
SHA-256:	3E5750F311F2178A4876678A924AE3AA5C33AD48D887B62C0AB981B8197A82BA
SHA-512:	D892682C494822CE1AA96695BC963408352324361346FCDD9F021A7003988C00574835CC8D503A79F866346BF27215C3AC2D132320BD76A3C1DD5C2D0AF4A953
Malicious:	false
Reputation:	low
Preview:	EA06.....Z94zm6cG...U-..2......6...R...d.;5...\..P..../.F..?.........6.,..>.....$.C4.....k;..e.;\|z;........<..@..1.....cv..iv:..s\|.S.7)..Y@.w..)..g..i.0`......jS....l..=4M-2.d....."w(... ....WF...1..f...Mh.Uj..9....N...SZ~..G.Lf`.....8U....0.8..i. ...1....3\....5..4}..gG...]\..q.=v.Z..1b....mJ.M...T....X.P.1.:......{..:<4.s...z..I..$..l..8.v..zm\|.p..U...W.n..d.9..g?..T........p.G........w;..`@.E.......h.....Vp....k... \|0..OL..w.....Q.... %...;..?.@.T..&.H.iru.\|.3-.s.4.Eb.R....-5J...Q.8<.{............V..(T...m{.u..B.T..X.k.......y..xx..r..C;.)...(.P...&...R..i.F.N.s......D...9...1..)../....i.......r..H..>..g.}..K..`......N..@nD.e...@.....K..)T...7C.`@.....;.^<..!.. w...a...#..<C..T.3[...Bb.z5.o..k}...M...B.N.d...v.n.qB...l...S..L.;q...y...7....6[..j..{..mMJcG..c.j..m7.q0:..A3.M(.<...e.69S.t..S.Q.1[.[.u........z]...\.I.\Z...:.......(.....l.@....}..x50.....[..j...M...F)..........sz.;Uv...l+U.]2.y.c.W.w..v..:....M.L.v..g.r.Kk4~t.i..a.@*..

C:\Users\user\AppData\Local\Temp\aut2065.tmp

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	data
Category:	dropped
Size (bytes):	9868
Entropy (8bit):	7.591423720363009
Encrypted:	false
SSDEEP:	192:mS5jnkklrTefgLqJrwy/6Yyu2f82lIBK60aa5wzyeP6e05P4VkljLr7LJdPei:VnI00wRW1oveP6e05wijX7td2i
MD5:	AE50F07BE437D6542E052EF20828CF0B
SHA1:	8081711119A915F34B92440B75124812E5F6C35A
SHA-256:	807D28766933B5683ABFDF81476663F0F78BB553E516A70D3193CB2899AE17AD
SHA-512:	5BE94883A2AF47665014FD0AF9BCF47DF42D8A2729761215EB4DD2ECFCD639AF8F0C6E0EFB220F9A22FB3524041368375BDF1E726DA773E5FD6B70DA943E43D3
Malicious:	false
Reputation:	low
Preview:	EA06..p.P.tY..kD.L'....8.M.t..o7.Q'.)..aC.P......0.Mf.....8..lv;..e0..&.i...8.X.....m6.Nf.Y...9.M@..d.!,3y.........e.6., ..%..a.X....-.q3...zs0.Nf`.].Y'3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^.8.N@.=7.z...#.$...`!..H&.>_L.p..............@\|..6..(....ka..&...Xf@0........\|.=..g...........`.A..b.......P.O.id...\|.)....4....\.M.4.;...K..4\|. F...e.f..s....id..p.....4....s`./.....X. ..%..K.;-.o8...k ..4..`w..qd..f`....l.....V0...lS..m4.Y.......>.5...S...f&.+..Af....<..f....gl`....g.d..#4.x..#1.X...cV....0..BV0.NL@.;1.X..e1.Y,S[(.#6.,.d.....f.I......B3p....;2.X.se.Y..@.Fn.....f`...J&.9.......!93.X...c6).$.6.....h`...@.....3f.Lg3I..h....l.Z.,.....[%.ec...`....,vj...%.sb.X.,...p.....f.....g ...!8.....c.`!......3d...l.2.,...g.K..i0...B.....@.....j.0..B...Fl.....f....X.I..P...@

C:\Users\user\AppData\Local\Temp\subpredication

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	ASCII text, with very long lines (28714), with no line terminators
Category:	modified
Size (bytes):	28714
Entropy (8bit):	3.59341043207206
Encrypted:	false
SSDEEP:	768:DiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+Ik6Ng4vfF3if6gyn:DiTZ+2QoioGRk6ZklputwjpjBkCiw2Rl
MD5:	4860659008DE703B54355EAFA44F0151
SHA1:	5345CBB58C5C66FF393D2A3D27EFBC84CD6C7F04
SHA-256:	580EF7F33ABD9B17F2180C48944E58302062299BB849D2A3FD00324EDE9678AB
SHA-512:	291D578C57FBCD38FD1D67BF0AA30DC3EE8278727DDB19004763D48B77161898696EB7208F1CDFBFFD437052F587F4A97749CD6D8E7DA3979DF47E80B66EA825
Malicious:	false
Reputation:	low
Preview:	8BCE895DD08975C8663BC2772D8B5F0C8BD08BFE0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.137945706058082
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment.exe
File size:	1'186'304 bytes
MD5:	88e1a2d19bd93d64e6a3675c404bf424
SHA1:	4199075cc9c375b7a1dd85ab701e5fab010136eb
SHA256:	16b790ad37c38e92e2f7b102d2d622dd6a1e51f9614c72f404272536e4785be1
SHA512:	624e41236aac0a35eaf694f4ffa81a59a4992c86235c5494027f821172312b2566c20734b486421d948ddfd034e483778aadc91ffb93615382e48bc761f57f0b
SSDEEP:	24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaKBb6Nk8QWbVLjgT7gx5:ph+ZkldoPK8YaKJykiJLj+q
TLSH:	5E45AD0273D1C036FFAB92739B6AF24596BD79250133852F13981DB9BD701B2263E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66210BC8 [Thu Apr 18 12:02:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FAAB52DC3EDh
jmp 00007FAAB52CF1A4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FAAB52CF32Ah
cmp edi, eax
jc 00007FAAB52CF68Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FAAB52CF329h
rep movsb
jmp 00007FAAB52CF63Ch
cmp ecx, 00000080h
jc 00007FAAB52CF4F4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FAAB52CF330h
bt dword ptr [004BF324h], 01h
jc 00007FAAB52CF800h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FAAB52CF4CDh
test edi, 00000003h
jne 00007FAAB52CF4DEh
test esi, 00000003h
jne 00007FAAB52CF4BDh
bt edi, 02h
jnc 00007FAAB52CF32Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FAAB52CF333h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FAAB52CF385h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x573b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x120000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x573b4	0x57400	00fc97ade193793341fe5f749a663287	False	0.9251096883954155	data	7.88696020283486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x120000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x4e64c	data			1.0003301152289006
RT_GROUP_ICON	0x11ee04	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11ee7c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11ee90	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11eea4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11eeb8	0x10c	data	English	Great Britain	0.5895522388059702
RT_MANIFEST	0x11efc4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 22:36:06.981512070 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:06.981601954 CEST	443	49699	104.26.13.205	192.168.2.7
Apr 18, 2024 22:36:06.981796026 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:06.988698006 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:06.988738060 CEST	443	49699	104.26.13.205	192.168.2.7
Apr 18, 2024 22:36:07.228485107 CEST	443	49699	104.26.13.205	192.168.2.7
Apr 18, 2024 22:36:07.228874922 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:07.231950045 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:07.231977940 CEST	443	49699	104.26.13.205	192.168.2.7
Apr 18, 2024 22:36:07.232393026 CEST	443	49699	104.26.13.205	192.168.2.7
Apr 18, 2024 22:36:07.277861118 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:07.286367893 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:07.332118988 CEST	443	49699	104.26.13.205	192.168.2.7
Apr 18, 2024 22:36:07.522277117 CEST	443	49699	104.26.13.205	192.168.2.7
Apr 18, 2024 22:36:07.522433043 CEST	443	49699	104.26.13.205	192.168.2.7
Apr 18, 2024 22:36:07.522595882 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:07.531876087 CEST	49699	443	192.168.2.7	104.26.13.205
Apr 18, 2024 22:36:08.347733021 CEST	49700	587	192.168.2.7	208.91.198.143
Apr 18, 2024 22:36:09.355698109 CEST	49700	587	192.168.2.7	208.91.198.143
Apr 18, 2024 22:36:11.371337891 CEST	49700	587	192.168.2.7	208.91.198.143
Apr 18, 2024 22:36:15.386976957 CEST	49700	587	192.168.2.7	208.91.198.143
Apr 18, 2024 22:36:23.386980057 CEST	49700	587	192.168.2.7	208.91.198.143
Apr 18, 2024 22:36:29.405803919 CEST	49700	587	192.168.2.7	208.91.199.225
Apr 18, 2024 22:36:30.418443918 CEST	49700	587	192.168.2.7	208.91.199.225
Apr 18, 2024 22:36:32.418246984 CEST	49700	587	192.168.2.7	208.91.199.225
Apr 18, 2024 22:36:36.418261051 CEST	49700	587	192.168.2.7	208.91.199.225
Apr 18, 2024 22:36:44.418313026 CEST	49700	587	192.168.2.7	208.91.199.225
Apr 18, 2024 22:36:50.436868906 CEST	49700	587	192.168.2.7	208.91.199.224
Apr 18, 2024 22:36:51.449589014 CEST	49700	587	192.168.2.7	208.91.199.224
Apr 18, 2024 22:36:53.449525118 CEST	49700	587	192.168.2.7	208.91.199.224
Apr 18, 2024 22:36:57.449687004 CEST	49700	587	192.168.2.7	208.91.199.224
Apr 18, 2024 22:37:05.449553013 CEST	49700	587	192.168.2.7	208.91.199.224
Apr 18, 2024 22:37:11.449866056 CEST	49700	587	192.168.2.7	208.91.199.223
Apr 18, 2024 22:37:12.449542999 CEST	49700	587	192.168.2.7	208.91.199.223
Apr 18, 2024 22:37:14.449596882 CEST	49700	587	192.168.2.7	208.91.199.223
Apr 18, 2024 22:37:18.449625015 CEST	49700	587	192.168.2.7	208.91.199.223
Apr 18, 2024 22:37:26.449769020 CEST	49700	587	192.168.2.7	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 22:36:06.865847111 CEST	56106	53	192.168.2.7	1.1.1.1
Apr 18, 2024 22:36:06.970932007 CEST	53	56106	1.1.1.1	192.168.2.7
Apr 18, 2024 22:36:08.130042076 CEST	60273	53	192.168.2.7	1.1.1.1
Apr 18, 2024 22:36:08.346518040 CEST	53	60273	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 22:36:06.865847111 CEST	192.168.2.7	1.1.1.1	0x7ed2	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:36:08.130042076 CEST	192.168.2.7	1.1.1.1	0xd1b0	Standard query (0)	smtp.italiacanda-it.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 22:36:06.970932007 CEST	1.1.1.1	192.168.2.7	0x7ed2	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:36:06.970932007 CEST	1.1.1.1	192.168.2.7	0x7ed2	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:36:06.970932007 CEST	1.1.1.1	192.168.2.7	0x7ed2	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:36:08.346518040 CEST	1.1.1.1	192.168.2.7	0xd1b0	No error (0)	smtp.italiacanda-it.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 18, 2024 22:36:08.346518040 CEST	1.1.1.1	192.168.2.7	0xd1b0	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:36:08.346518040 CEST	1.1.1.1	192.168.2.7	0xd1b0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:36:08.346518040 CEST	1.1.1.1	192.168.2.7	0xd1b0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:36:08.346518040 CEST	1.1.1.1	192.168.2.7	0xd1b0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	104.26.13.205	443	5836	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 20:36:07 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 20:36:07 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 20:36:07 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 876771fa49408bb7-ATL
2024-04-18 20:36:07 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

Target ID:	1
Start time:	22:36:02
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\Payment.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment.exe"
Imagebase:	0x7a0000
File size:	1'186'304 bytes
MD5 hash:	88E1A2D19BD93D64E6A3675C404BF424
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.1287494008.0000000001110000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:36:04
Start date:	18/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment.exe"
Imagebase:	0xa70000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.2525290026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.2525290026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000A.00000002.2529070929.0000000002EC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2528725717.0000000002C9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000A.00000002.2531322668.0000000005590000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2529262570.0000000002FEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2530653351.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2529262570.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2529262570.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	56

Executed Functions

Function 007A3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007A3B7A
IsDebuggerPresent.KERNEL32 ref: 007A3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,008662F8,008662E0,?,?), ref: 007A3BFD

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

Part of subcall function 007B0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,007A3C26,008662F8,?,?,?), ref: 007B0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 007A3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008593F0,00000010), ref: 007DD4BC
SetCurrentDirectoryW.KERNEL32(?,008662F8,?,?,?), ref: 007DD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00855D40,008662F8,?,?,?), ref: 007DD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 007DD581

Part of subcall function 007A3A58: GetSysColorBrush.USER32(0000000F), ref: 007A3A62
Part of subcall function 007A3A58: LoadCursorW.USER32(00000000,00007F00), ref: 007A3A71
Part of subcall function 007A3A58: LoadIconW.USER32(00000063), ref: 007A3A88
Part of subcall function 007A3A58: LoadIconW.USER32(000000A4), ref: 007A3A9A
Part of subcall function 007A3A58: LoadIconW.USER32(000000A2), ref: 007A3AAC
Part of subcall function 007A3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007A3AD2
Part of subcall function 007A3A58: RegisterClassExW.USER32(?), ref: 007A3B28

Part of subcall function 007A39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007A3A15
Part of subcall function 007A39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007A3A36
Part of subcall function 007A39E7: ShowWindow.USER32(00000000,?,?), ref: 007A3A4A
Part of subcall function 007A39E7: ShowWindow.USER32(00000000,?,?), ref: 007A3A53

Part of subcall function 007A43DB: _memset.LIBCMT ref: 007A4401
Part of subcall function 007A43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007A44A6

Strings

runas, xrefs: 007DD575
This is a third-party compiled AutoIt script., xrefs: 007DD4B4

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 40ddb67a8f6b800a58d1cb0e9e9c3a7aa49ac7ba4d42fa644e55a46ac6828ab4
Instruction ID: fd3d6f5eda7e92c8c1a73bcbce1098096a4e63e3459c50380df0c33d7c0b25e3
Opcode Fuzzy Hash: 40ddb67a8f6b800a58d1cb0e9e9c3a7aa49ac7ba4d42fa644e55a46ac6828ab4
Instruction Fuzzy Hash: C951D630904288EACF15ABB4DC199ED7B75FB86710B004275F955A2392EA7C4A16CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007A4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007A4EEE,?,?,00000000,00000000), ref: 007A4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007A4EEE,?,?,00000000,00000000), ref: 007A5010
LoadResource.KERNEL32(?,00000000,?,?,007A4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007A4F8F), ref: 007DDD60
SizeofResource.KERNEL32(?,00000000,?,?,007A4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007A4F8F), ref: 007DDD75
LockResource.KERNEL32(Nz,?,?,007A4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007A4F8F,00000000), ref: 007DDD88

Strings

SCRIPT, xrefs: 007A5006
Nz, xrefs: 007DDD85

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$Nz
API String ID: 3051347437-1391604286
Opcode ID: c4a29114f2cbba6260346c347507ed38ae37ce70f02359af23a1e291d3b59f95
Instruction ID: 287519ee9e049995ae94e259cf57f8079f28f4786b9e0b454ab3bb1066f609ea
Opcode Fuzzy Hash: c4a29114f2cbba6260346c347507ed38ae37ce70f02359af23a1e291d3b59f95
Instruction Fuzzy Hash: E2115A75200700AFD7318B65DC58F6B7BB9FBCAB11F208278F606D6260EB61EC01C660

Uniqueness

Uniqueness Score: -1.00%

Function 007A4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007A4B2B

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

GetCurrentProcess.KERNEL32(?,0082FAEC,00000000,00000000,?), ref: 007A4BF8
IsWow64Process.KERNEL32(00000000), ref: 007A4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 007A4C45
FreeLibrary.KERNEL32(00000000), ref: 007A4C50
GetSystemInfo.KERNEL32(00000000), ref: 007A4C81
GetSystemInfo.KERNEL32(00000000), ref: 007A4C8D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: f246fd072a07b0dfa2b8736adbb084b6fc92f32e625352a749d62c863e7023de
Instruction ID: b941be11126b5f6a4c236d1823ec6c55fcd2f43e6123068fc1d1c36cb0d37c40
Opcode Fuzzy Hash: f246fd072a07b0dfa2b8736adbb084b6fc92f32e625352a749d62c863e7023de
Instruction Fuzzy Hash: 5091C37154A7C0DEC731CB6885551AABFF5AFA6300F444AAED0CB93B42D269E908C729

Uniqueness

Uniqueness Score: -1.00%

Function 00804696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,007DE7C1), ref: 008046A6
FindFirstFileW.KERNELBASE(?,?), ref: 008046B7
FindClose.KERNEL32(00000000), ref: 008046C7

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 8ffd72ce0c95e9f9235cc85891f0e202556509a0b46249e41c6b0c8ef0e3ed55
Instruction ID: ea462f335267b9e1022aea2d0a7d7e18b4ed9bb95c7b9e91d5e7e6d96bb56c7a
Opcode Fuzzy Hash: 8ffd72ce0c95e9f9235cc85891f0e202556509a0b46249e41c6b0c8ef0e3ed55
Instruction Fuzzy Hash: 09E0D8718144009B9220A738EC4D4EA77ACFE17335F104725FA35C11E0F7B15950C595

Uniqueness

Uniqueness Score: -1.00%

Function 007AE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 007E428C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 704cb9ad2ad4746e6fc8d37515a5a9a4374c9210faeb7cf92d2a14367222d334
Instruction ID: 762b491d93229a8b2d151f913c4b4fbcb8f35b1be11a97ec7770c8766b91df9d
Opcode Fuzzy Hash: 704cb9ad2ad4746e6fc8d37515a5a9a4374c9210faeb7cf92d2a14367222d334
Instruction Fuzzy Hash: C3A2C574A04205CFCF24CF98C484AAEB7B1FF9A314F248269E916AB351D779ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007B0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007B0BBB
timeGetTime.WINMM ref: 007B0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007B0FB3
TranslateMessage.USER32(?), ref: 007B0FC7
DispatchMessageW.USER32(?), ref: 007B0FD5
Sleep.KERNEL32(0000000A), ref: 007B0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 007B105A
DestroyWindow.USER32 ref: 007B1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007B1080
Sleep.KERNEL32(0000000A,?,?), ref: 007E52AD
TranslateMessage.USER32(?), ref: 007E608A
DispatchMessageW.USER32(?), ref: 007E6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007E60AC

Strings

@GUI_WINHANDLE, xrefs: 007E53B9
@GUI_CTRLID, xrefs: 007E5364
@GUI_CTRLHANDLE, xrefs: 007E540E
@TRAY_ID, xrefs: 007E5BB9
@COM_EVENTOBJ, xrefs: 007E591A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 8a82de565899d8d7aff7fe43943d4110185e140f9af5e328f28af2537217dd2e
Instruction ID: 87d6fc0bc45572a7a4d2ddfb7e718fdec6488e07acd3a9dd81a2a59b868dcdb5
Opcode Fuzzy Hash: 8a82de565899d8d7aff7fe43943d4110185e140f9af5e328f28af2537217dd2e
Instruction Fuzzy Hash: 47B2F670609785DFD724DF24C888BAAB7E5FF89308F144A1DF549872A1DB78E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008093DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008091E9: __time64.LIBCMT ref: 008091F3

Part of subcall function 007A5045: _fseek.LIBCMT ref: 007A505D

__wsplitpath.LIBCMT ref: 008094BE

Part of subcall function 007C432E: __wsplitpath_helper.LIBCMT ref: 007C436E

_wcscpy.LIBCMT ref: 008094D1
_wcscat.LIBCMT ref: 008094E4
__wsplitpath.LIBCMT ref: 00809509
_wcscat.LIBCMT ref: 0080951F
_wcscat.LIBCMT ref: 00809532

Part of subcall function 0080922F: _memmove.LIBCMT ref: 00809268
Part of subcall function 0080922F: _memmove.LIBCMT ref: 00809277

_wcscmp.LIBCMT ref: 00809479

Part of subcall function 008099BE: _wcscmp.LIBCMT ref: 00809AAE
Part of subcall function 008099BE: _wcscmp.LIBCMT ref: 00809AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008096DC
_wcsncpy.LIBCMT ref: 0080974F
DeleteFileW.KERNEL32(?,?), ref: 00809785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0080979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008097AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008097BE

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: e3217acdd0f08b92335e6a58e01ff37f8507e1d5c297b9e66e4ee8df1fb14974
Instruction ID: bff17aa34d440b77cc65ccd0299e988003f8ebafe293f305a3c2b327ad1aeda3
Opcode Fuzzy Hash: e3217acdd0f08b92335e6a58e01ff37f8507e1d5c297b9e66e4ee8df1fb14974
Instruction Fuzzy Hash: D7C14CB1E00219AACF21DFA4CC85EDEB7BDFF55300F0041AAF649E6192DB749A448F65

Uniqueness

Uniqueness Score: -1.00%

Function 007A3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007A3074
RegisterClassExW.USER32(00000030), ref: 007A309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007A30AF
InitCommonControlsEx.COMCTL32(?), ref: 007A30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007A30DC
LoadIconW.USER32(000000A9), ref: 007A30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007A3101

Strings

TaskbarCreated, xrefs: 007A30A4
AutoIt v3 GUI, xrefs: 007A3090
0, xrefs: 007A3056
+, xrefs: 007A305D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e5a338729304a0319f03ab43413c1c07cc7e298042b830ae6adfbd42edfb45b0
Instruction ID: 9aefb64debce436f867849ed293b661ea4d185904fb09503fa99f07802041922
Opcode Fuzzy Hash: e5a338729304a0319f03ab43413c1c07cc7e298042b830ae6adfbd42edfb45b0
Instruction Fuzzy Hash: B83129B1800389AFDB518FA4EC44AD9BBF0FB09310F14812AE650E62A1E3B54591CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007A3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007A3074
RegisterClassExW.USER32(00000030), ref: 007A309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007A30AF
InitCommonControlsEx.COMCTL32(?), ref: 007A30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007A30DC
LoadIconW.USER32(000000A9), ref: 007A30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007A3101

Strings

TaskbarCreated, xrefs: 007A30A4
AutoIt v3 GUI, xrefs: 007A3090
0, xrefs: 007A3056
+, xrefs: 007A305D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 23999ff770f6349f3aa26591da184064889f8026752203981135d788e856971b
Instruction ID: 362b38de016e31b63a6136e636964129ae589f83888db1baec7b324502f30afb
Opcode Fuzzy Hash: 23999ff770f6349f3aa26591da184064889f8026752203981135d788e856971b
Instruction Fuzzy Hash: 9521E0B1900258AFDB10DFA4E988B9DBBF4FB08700F00913AFA10E72A1E7B54555CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007A71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007A4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008662F8,?,007A37C0,?), ref: 007A4882

Part of subcall function 007C074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007A72C5), ref: 007C0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007A7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007DECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007DED32
RegCloseKey.ADVAPI32(?), ref: 007DED70
_wcscat.LIBCMT ref: 007DEDC9

Strings

\, xrefs: 007DEDEC
Software\AutoIt v3\AutoIt, xrefs: 007A72FE
\Include\, xrefs: 007A72C5
Include, xrefs: 007DECE8, 007DED29

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 4c5deec9017ffa8cc64822847d9343d37833ef59cda4f31abcd00f342ea57660
Instruction ID: b4b72cede70f9ec56d9f21e7afb0071a70cb23c140cf0b87c9f9e8aa0fc70562
Opcode Fuzzy Hash: 4c5deec9017ffa8cc64822847d9343d37833ef59cda4f31abcd00f342ea57660
Instruction Fuzzy Hash: D471AB71108301DEC314EF25EC9599BBBF8FF85704B41062EF546C72A1EBB49949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007A3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007A3A62
LoadCursorW.USER32(00000000,00007F00), ref: 007A3A71
LoadIconW.USER32(00000063), ref: 007A3A88
LoadIconW.USER32(000000A4), ref: 007A3A9A
LoadIconW.USER32(000000A2), ref: 007A3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007A3AD2
RegisterClassExW.USER32(?), ref: 007A3B28

Part of subcall function 007A3041: GetSysColorBrush.USER32(0000000F), ref: 007A3074
Part of subcall function 007A3041: RegisterClassExW.USER32(00000030), ref: 007A309E
Part of subcall function 007A3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007A30AF
Part of subcall function 007A3041: InitCommonControlsEx.COMCTL32(?), ref: 007A30CC
Part of subcall function 007A3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007A30DC
Part of subcall function 007A3041: LoadIconW.USER32(000000A9), ref: 007A30F2
Part of subcall function 007A3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007A3101

Strings

AutoIt v3, xrefs: 007A3B17
0, xrefs: 007A3B06
#, xrefs: 007A3B0D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d9d6a2392884ef544f3f2a1b547687842abfc238ef678d7fd4822090d984e34c
Instruction ID: 39adfc7922c634810809634fd13ad87071adbd2f9f725d7e6a11f3f590ca1242
Opcode Fuzzy Hash: d9d6a2392884ef544f3f2a1b547687842abfc238ef678d7fd4822090d984e34c
Instruction Fuzzy Hash: 60213971900344AFEB109FA4EC19B9D7FB5FB08710F01512AF604A63A1E3FA5664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 007A3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 007A36D2
KillTimer.USER32(?,00000001), ref: 007A36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007A371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007A372A
CreatePopupMenu.USER32 ref: 007A373E
PostQuitMessage.USER32(00000000), ref: 007A375F

Strings

TaskbarCreated, xrefs: 007A3725

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 3f36eb2da2381726cf2fc6099f563ae2886f82539262f94e8e839712438c980c
Instruction ID: e656f7e157ebbda7ac205bc5234205dcedba93860027b7090330b9939285d6a6
Opcode Fuzzy Hash: 3f36eb2da2381726cf2fc6099f563ae2886f82539262f94e8e839712438c980c
Instruction Fuzzy Hash: 3441F9B1200189FBDB245F78DC4DB793765FB86300F140339F602D63A2DAAD9D6597A1

Uniqueness

Uniqueness Score: -1.00%

Function 007A3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 007A380D
/ErrorStdOut, xrefs: 007A388F
/AutoIt3OutputDebug, xrefs: 007A38A4
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007A37C0
/AutoIt3ExecuteLine, xrefs: 007A38B9
/AutoIt3ExecuteScript, xrefs: 007A38CE
CMDLINE, xrefs: 007A3834

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: ed38190b00a976a104ed89e01d05a81b09b9b9bd69329e1badb5dd295e4e4c0b
Instruction ID: e3523b0283172e763743caa0e60430476030b8657b7a27047d199751f1ea6e96
Opcode Fuzzy Hash: ed38190b00a976a104ed89e01d05a81b09b9b9bd69329e1badb5dd295e4e4c0b
Instruction Fuzzy Hash: 4CA15371D1026DEACB04EF90DC99DEEB778BF95300F140229F516A7191EF785A09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01102620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011026F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01102917

Memory Dump Source

Source File: 00000001.00000002.1287480188.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1100000_Payment.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: cc9951c737b8f8bf4d901385373b8dee67c96404390f8d6c47b8570e42f52e41
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: 63A10974E00209EBDB19CFA4C898BEEBBB5BF48304F208159E611BB2C1D7B59A41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 007A39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007A3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007A3A36
ShowWindow.USER32(00000000,?,?), ref: 007A3A4A
ShowWindow.USER32(00000000,?,?), ref: 007A3A53

Strings

AutoIt v3, xrefs: 007A3A0D, 007A3A12, 007A3A13
edit, xrefs: 007A3A30

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: acfc0262f3658e0a80055b630654c628f9346809638d67b2e1e5f65cdbe54b4e
Instruction ID: 61c9a371a728a284dc0ccee9f19bd0ac21a8a598ef82699422a35895a9ebbe82
Opcode Fuzzy Hash: acfc0262f3658e0a80055b630654c628f9346809638d67b2e1e5f65cdbe54b4e
Instruction Fuzzy Hash: CFF03A706002E07EEB3017236C19E273E7DF7C6F60F02503AFA00A2271D2E50861DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 01102410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01102300: Sleep.KERNELBASE(000001F4), ref: 01102311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01102517

Strings

O2YGNM1GMOZRK5, xrefs: 0110257A, 0110257D

Memory Dump Source

Source File: 00000001.00000002.1287480188.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1100000_Payment.jbxd

Similarity

API ID: CreateFileSleep
String ID: O2YGNM1GMOZRK5
API String ID: 2694422964-2141476061
Opcode ID: 7f8b16f4214ab5887128992836a60a2ac8594bc61a2e94b13497016d206c8267
Instruction ID: 61c6894e1c27700e2c4a85562f351e8b1232c7f87530733519257ddfac886f69
Opcode Fuzzy Hash: 7f8b16f4214ab5887128992836a60a2ac8594bc61a2e94b13497016d206c8267
Instruction Fuzzy Hash: 25519271D04249EBEF15DBA4C818BEFBBB5AF19300F004199E609BB2C0DBB95B45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 007A410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007DD5EC

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

_memset.LIBCMT ref: 007A418D
_wcscpy.LIBCMT ref: 007A41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007A41F1

Strings

Line: , xrefs: 007DD615

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 831993e60a7c38823b0b56cceaead90626f20b9e9025dee08c4616554088117d
Instruction ID: f8b2180afbf9313f6531a06a40ce8edc647cf143bdfe089a81dd058aa719f213
Opcode Fuzzy Hash: 831993e60a7c38823b0b56cceaead90626f20b9e9025dee08c4616554088117d
Instruction Fuzzy Hash: EB31C471008344AAD325EB60DC5AFDB77ECBFC5300F10461EF19592191EBB8AA59CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007C564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 007C56AB
_memcpy_s.LIBCMT ref: 007C571D
__read_nolock.LIBCMT ref: 007C577B
__filbuf.LIBCMT ref: 007C579E
_memset.LIBCMT ref: 007C57E2

Part of subcall function 007C8D68: __getptd_noexit.LIBCMT ref: 007C8D68

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 7388daeebf1167d13a155a89882453d301aa3985119d564e805eaba757852a49
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: DD518030A00B05DBDB249FA98884F6E77B5AF50720F64872DE825962D1D77AADD08B50

Uniqueness

Uniqueness Score: -1.00%

Function 007A69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 007A4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007A4F6F

_free.LIBCMT ref: 007DE68C
_free.LIBCMT ref: 007DE6D3

Part of subcall function 007A6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007A6D0D

Strings

Bad directive syntax error, xrefs: 007DE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 007DE462

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 471bd051a06a2da1d21e1b4190bb1852e11d71d8952e72b8d5fb0d3fcf4e139b
Instruction ID: f0dc3c97cf8444e84eb4011f43f3c848f8e85df6973d6435354a3c47de1716a5
Opcode Fuzzy Hash: 471bd051a06a2da1d21e1b4190bb1852e11d71d8952e72b8d5fb0d3fcf4e139b
Instruction Fuzzy Hash: 21918D71910219EFCF05EFA4CC859EDBBB4FF59314F14452AF816AB291EB38A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007A35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007A35A1,SwapMouseButtons,00000004,?), ref: 007A35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007A35A1,SwapMouseButtons,00000004,?,?,?,?,007A2754), ref: 007A35F5
RegCloseKey.KERNELBASE(00000000,?,?,007A35A1,SwapMouseButtons,00000004,?,?,?,?,007A2754), ref: 007A3617

Strings

Control Panel\Mouse, xrefs: 007A35D2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b612265a1855d89f494fc007f22b1b8d430243d3cf50c9d74f54d3881d45aaf6
Instruction ID: 3a9194ffbdc5e1cab6f97b27b079ccbd8c2fbb096f93eefd8ad0a5b58d8f248a
Opcode Fuzzy Hash: b612265a1855d89f494fc007f22b1b8d430243d3cf50c9d74f54d3881d45aaf6
Instruction Fuzzy Hash: 69114871910208BFDB208FA4DC40DAFB7B8EF45740F00866AF905D7210E2719E419B60

Uniqueness

Uniqueness Score: -1.00%

Function 01101300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01101B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01101B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01101B73

Memory Dump Source

Source File: 00000001.00000002.1287480188.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1100000_Payment.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: 555cc217b76cea5562fe023b750f6815007da3d64ac200a4151e828893dc4766
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 5C62FE30E14658DBEB29CBA4C854BDEB771EF58300F1091A9D10DEB2D0E7B99E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 008097E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 007A5045: _fseek.LIBCMT ref: 007A505D

Part of subcall function 008099BE: _wcscmp.LIBCMT ref: 00809AAE
Part of subcall function 008099BE: _wcscmp.LIBCMT ref: 00809AC1

_free.LIBCMT ref: 0080992C
_free.LIBCMT ref: 00809933
_free.LIBCMT ref: 0080999E

Part of subcall function 007C2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,007C9C64), ref: 007C2FA9
Part of subcall function 007C2F95: GetLastError.KERNEL32(00000000,?,007C9C64), ref: 007C2FBB

_free.LIBCMT ref: 008099A6

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 254fe2d571c497247f002b0a3e0cbf13b4ebabd5ba8f6f194aaed9b8e9ad23f0
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: F9516FB1904218EFDF249F64CC45A9EBB79FF48310F1005AEF649A7282DB755A80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 007C493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007C49D0
__flush.LIBCMT ref: 007C49F0
__write.LIBCMT ref: 007C4A23
__flsbuf.LIBCMT ref: 007C4A51

Part of subcall function 007C8D68: __getptd_noexit.LIBCMT ref: 007C8D68

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 2d84e9504b6dfbfb60076614d0850ea5f4898726e31cabd2d89032c44cf68ebe
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 8D41D671A00615ABDF28CE69C8A4FAF77A5EF80360B24C13DE855C7640D778ED408B44

Uniqueness

Uniqueness Score: -1.00%

Function 007A73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007DEE62
GetOpenFileNameW.COMDLG32(?), ref: 007DEEAC

Part of subcall function 007A48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007A48A1,?,?,007A37C0,?), ref: 007A48CE

Part of subcall function 007C09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C09F4

Strings

X, xrefs: 007DEE7A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 47e60baf86dd0baba9d64bad0fe8f67639b939a3452954ad8002f62a5bc4a6ea
Instruction ID: 57cff368f9c04a7c5fe89cfc00f16ce287d54ce2ae3d234d8ec1137e83804373
Opcode Fuzzy Hash: 47e60baf86dd0baba9d64bad0fe8f67639b939a3452954ad8002f62a5bc4a6ea
Instruction Fuzzy Hash: E621A471A00298DBDB159F94CC49BEE7BF8AF89301F00801AE508EB241DBBC598DCF91

Uniqueness

Uniqueness Score: -1.00%

Function 0080901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00809036
__fread_nolock.LIBCMT ref: 0080904B

Strings

EA06, xrefs: 0080907D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: fc35b1adbf94f8d28942acccbd43cc0d3ae3c1cb853dc94cdf9d5e3daebdbad0
Instruction ID: 6434b10224680457617d6cb6c5e6db2fb6240b4834ec4201960544eeb45502a0
Opcode Fuzzy Hash: fc35b1adbf94f8d28942acccbd43cc0d3ae3c1cb853dc94cdf9d5e3daebdbad0
Instruction Fuzzy Hash: 1801B972904658AEDB28C6A8CC5AFFE7BF8DB15301F00419EF592D2181E579E6488760

Uniqueness

Uniqueness Score: -1.00%

Function 00809B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00809B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00809B99

Strings

aut, xrefs: 00809B93

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e539992b6af73617210b5fa4af890c0b4febe551edbcd95fda5acabd221a3b73
Instruction ID: bc2e7b2b09222dde2711b64d90205c43dfbecc883e92c00a99104700d5e16a7d
Opcode Fuzzy Hash: e539992b6af73617210b5fa4af890c0b4febe551edbcd95fda5acabd221a3b73
Instruction Fuzzy Hash: C3D05E7954030DABDB209B90DC4EF9A773CF704701F0082B1BF64D11A2DEB45599CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0081CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11b7ab11dddad256f0dbeea7cef6fb1b58505fc71dd59e473562d8447eb3eb7
Instruction ID: 113b8d80415c33ca3a81af6b56f11bb5c5e06f67a5eb3fe8ec8f62adf547d2d0
Opcode Fuzzy Hash: d11b7ab11dddad256f0dbeea7cef6fb1b58505fc71dd59e473562d8447eb3eb7
Instruction Fuzzy Hash: 89F13670608705DFC714DF28C484AAABBE9FF89314F14892EF8999B251D774E985CF82

Uniqueness

Uniqueness Score: -1.00%

Function 007AF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 007C03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C03D3
Part of subcall function 007C03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 007C03DB
Part of subcall function 007C03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C03E6
Part of subcall function 007C03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C03F1
Part of subcall function 007C03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 007C03F9
Part of subcall function 007C03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 007C0401

Part of subcall function 007B6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,007AFA90), ref: 007B62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007AFB2D
OleInitialize.OLE32(00000000), ref: 007AFBAA
CloseHandle.KERNEL32(00000000), ref: 007E49F2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ae277b8f5291a6bceedd2f941ca13b018a00058e7899bbeb58103ca2510bfd6d
Instruction ID: 6c5868315abefccdc6c6d28f1844e57bb66757b7ff6807f4734fe09379442552
Opcode Fuzzy Hash: ae277b8f5291a6bceedd2f941ca13b018a00058e7899bbeb58103ca2510bfd6d
Instruction Fuzzy Hash: 7B81BCB09012C0DEC784DF69AD496157BE4FB98314B12A23AD219C7362FFB54429CF98

Uniqueness

Uniqueness Score: -1.00%

Function 007A43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 007A44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 007A44C3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 9fba7fda9dee4cc6d4fcf9fb1e699f84a448b2541a36b36a6827b39a4af1f8c1
Instruction ID: 0b09413f671ec0f20411c9265dc09a8d08771b4c9b833ed2133712f2f51db63e
Opcode Fuzzy Hash: 9fba7fda9dee4cc6d4fcf9fb1e699f84a448b2541a36b36a6827b39a4af1f8c1
Instruction Fuzzy Hash: 423182B05043419FD720DF24D884797BBF8FB89305F000A2EE59A83241E7B66944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007C594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 007C5963

Part of subcall function 007CA3AB: __NMSG_WRITE.LIBCMT ref: 007CA3D2
Part of subcall function 007CA3AB: __NMSG_WRITE.LIBCMT ref: 007CA3DC

__NMSG_WRITE.LIBCMT ref: 007C596A

Part of subcall function 007CA408: GetModuleFileNameW.KERNEL32(00000000,008643BA,00000104,?,00000001,00000000), ref: 007CA49A
Part of subcall function 007CA408: ___crtMessageBoxW.LIBCMT ref: 007CA548

Part of subcall function 007C32DF: ___crtCorExitProcess.LIBCMT ref: 007C32E5
Part of subcall function 007C32DF: ExitProcess.KERNEL32 ref: 007C32EE

Part of subcall function 007C8D68: __getptd_noexit.LIBCMT ref: 007C8D68

RtlAllocateHeap.NTDLL(01220000,00000000,00000001,00000000,?,?,?,007C1013,?), ref: 007C598F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 8e4ff2ec8847134e638848a612f1f67123fae52ba064f52aff7486a8d01514c1
Instruction ID: 69fb8eae92cbc4000e31588293bbd8a10362ece46ac1fc6f6d3e1dc058bc366c
Opcode Fuzzy Hash: 8e4ff2ec8847134e638848a612f1f67123fae52ba064f52aff7486a8d01514c1
Instruction Fuzzy Hash: D301D231300A15EEE6212B74E85AF2E73589F52B30F11016EF4019A282DEBEBD818761

Uniqueness

Uniqueness Score: -1.00%

Function 00809B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008097D2,?,?,?,?,?,00000004), ref: 00809B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008097D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00809B5B
CloseHandle.KERNEL32(00000000,?,008097D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00809B62

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 6c64e6c63c53b7c763af3e247d0e9d941e033849944080a2c95502d0d96d831b
Instruction ID: 54ed21fb4df5b1cddc887aada37c0582d9bebbde91fc098ca7f9812ed4972f57
Opcode Fuzzy Hash: 6c64e6c63c53b7c763af3e247d0e9d941e033849944080a2c95502d0d96d831b
Instruction Fuzzy Hash: 8EE08632180324B7D7321B54EC0AFCA7B28FB05771F108230FB54A90E187B12522D798

Uniqueness

Uniqueness Score: -1.00%

Function 00808F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00808FA5

Part of subcall function 007C2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,007C9C64), ref: 007C2FA9
Part of subcall function 007C2F95: GetLastError.KERNEL32(00000000,?,007C9C64), ref: 007C2FBB

_free.LIBCMT ref: 00808FB6
_free.LIBCMT ref: 00808FC8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: 8fa6e3bd22656905cff1a93b19d406c5ad055b302538365dbb0572ea8bd62e1b
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 23E012A1609706CADA64B578AD44F9357EEAF48360728081DB449DB183DE28E8828124

Uniqueness

Uniqueness Score: -1.00%

Function 007AAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 007E002B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: c3e12dddfc1b7a1663de5ecf78cc50e203ac53a72bfc5e6c598f2776abee2424
Instruction ID: fa07de9bbe8df76cba520e78eac7a0866e6f710f151dc66db924a9b18019869a
Opcode Fuzzy Hash: c3e12dddfc1b7a1663de5ecf78cc50e203ac53a72bfc5e6c598f2776abee2424
Instruction Fuzzy Hash: CD223A70608241DFC724DF14C494B6ABBE1FF8A304F158A5DE8968B362D779ED85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 007A4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007A4E1A

Strings

EA06, xrefs: 007DDCF5

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 4ce2de80d07bc360e65343c24993ccad67473af4e4bd021c04c997f8a284fef6
Instruction ID: 09d0525378ab75fff607cf4c3e82f92920dcb224c7af50caa673994b7d1a9e4b
Opcode Fuzzy Hash: 4ce2de80d07bc360e65343c24993ccad67473af4e4bd021c04c997f8a284fef6
Instruction Fuzzy Hash: 13416C71A08154DBDF215B648C557BF7FA6ABC3300F684265E8829A282C6EE8D4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 007A63A0 Relevance: 3.3, APIs: 2, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70329ddfae0c811cc7b0e08adc3b50f6bb105d78f09443d7626c4ea683a0db1b
Instruction ID: 78cf6a3ac718e2e4d5981a375cc0d04c224d4bd3e977911845e83513d43a1248
Opcode Fuzzy Hash: 70329ddfae0c811cc7b0e08adc3b50f6bb105d78f09443d7626c4ea683a0db1b
Instruction Fuzzy Hash: F5B1A171D00109DACF14EF94C8959FEB7B8FF9A310F584226E902A7295EB3C9E91CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007A492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 007A4992

Part of subcall function 007C35AC: __lock.LIBCMT ref: 007C35B2
Part of subcall function 007C35AC: DecodePointer.KERNEL32(00000001,?,007A49A7,007F81BC), ref: 007C35BE
Part of subcall function 007C35AC: EncodePointer.KERNEL32(?,?,007A49A7,007F81BC), ref: 007C35C9

Part of subcall function 007A4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007A4A73
Part of subcall function 007A4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007A4A88

Part of subcall function 007A3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007A3B7A
Part of subcall function 007A3B4C: IsDebuggerPresent.KERNEL32 ref: 007A3B8C
Part of subcall function 007A3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,008662F8,008662E0,?,?), ref: 007A3BFD
Part of subcall function 007A3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 007A3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007A49D2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 378c20983567e4bc7d8c35f4b85162a8dd7083d10b34c793e1025cb390ef1632
Instruction ID: 70b8de67d83b8574ecdd59dc090cdbee099c0e3ea11469c2dcc0e61a1e90cafa
Opcode Fuzzy Hash: 378c20983567e4bc7d8c35f4b85162a8dd7083d10b34c793e1025cb390ef1632
Instruction Fuzzy Hash: 53116A719083519BC300EF28E80994ABFF8FBD5710F01862EF155932B1EBB59565CB96

Uniqueness

Uniqueness Score: -1.00%

Function 007A5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,007A5981,?,?,?,?), ref: 007A5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,007A5981,?,?,?,?), ref: 007DE19C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f9cc0d70e98db1396f03c15632ad39bdb3414b7ea4022c41cc645a6f601d2bb
Instruction ID: 3bf12346d64fa0a57e1d8db6365c55b9501ab8d92d588c010a6eed4b8c75a64e
Opcode Fuzzy Hash: 5f9cc0d70e98db1396f03c15632ad39bdb3414b7ea4022c41cc645a6f601d2bb
Instruction Fuzzy Hash: 68015270244708BEF7291E24CC8AF663AACAB06778F108319BAE55E1E0C6B95E55CB54

Uniqueness

Uniqueness Score: -1.00%

Function 007C0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007C594C: __FF_MSGBANNER.LIBCMT ref: 007C5963
Part of subcall function 007C594C: __NMSG_WRITE.LIBCMT ref: 007C596A
Part of subcall function 007C594C: RtlAllocateHeap.NTDLL(01220000,00000000,00000001,00000000,?,?,?,007C1013,?), ref: 007C598F

std::exception::exception.LIBCMT ref: 007C102C
__CxxThrowException@8.LIBCMT ref: 007C1041

Part of subcall function 007C87DB: RaiseException.KERNEL32(?,?,?,0085BAF8,00000000,?,?,?,?,007C1046,?,0085BAF8,?,00000001), ref: 007C8830

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 35349ac590af7734af38a5fe2c01af710b13df2175142c417384c6ec8850f8b4
Instruction ID: 7a444110b3c7559f06ba57f119806737ec0ad1b2feaf20b6c4ff7b1b9eab7337
Opcode Fuzzy Hash: 35349ac590af7734af38a5fe2c01af710b13df2175142c417384c6ec8850f8b4
Instruction Fuzzy Hash: 10F0A43550021DE6CB21AA98EC09FDF77A8EF01351F50046EFD04E6592EFB99AD482D1

Uniqueness

Uniqueness Score: -1.00%

Function 007C582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C585C
__lock_file.LIBCMT ref: 007C587D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 2d63fc712720821303c9ac2b71bf87b0124e4f315828dd85cbf7f9657e734eb9
Instruction ID: 71102896a75f2047c6554e0ca1ccb04a39c714a41a21bad3bc3eb0b258a03c2a
Opcode Fuzzy Hash: 2d63fc712720821303c9ac2b71bf87b0124e4f315828dd85cbf7f9657e734eb9
Instruction Fuzzy Hash: A1018871800A04EBCF11AF658C09F9E7BA1BF40360F14821DF8145A161DB3A8A91DB51

Uniqueness

Uniqueness Score: -1.00%

Function 007C55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007C8D68: __getptd_noexit.LIBCMT ref: 007C8D68

__lock_file.LIBCMT ref: 007C561B

Part of subcall function 007C6E4E: __lock.LIBCMT ref: 007C6E71

__fclose_nolock.LIBCMT ref: 007C5626

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4bee919ab578e428d53bc8688685b2ceed775b36016acd66099573b899b6e7bc
Instruction ID: aae4da73324bc005b4fa6b0fe790c3bec119cbdd7bb2a9d8b509360fd979a1a5
Opcode Fuzzy Hash: 4bee919ab578e428d53bc8688685b2ceed775b36016acd66099573b899b6e7bc
Instruction Fuzzy Hash: 15F0B471900A04DAD760AF75880AF6E77E16F80B34F55820DE425BB1C1CF7CAD819B5A

Uniqueness

Uniqueness Score: -1.00%

Function 011012FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01101B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01101B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01101B73

Memory Dump Source

Source File: 00000001.00000002.1287480188.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1100000_Payment.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: bbcd3f1a5f85b45a079c6b3d2ce01fddc6b1d9a792147855e596928bdc4567e6
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: AA12CF24E24658C6EB24DF64D8507DEB232FF68300F1091E9910DEB7A5E77A4E81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 007B2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292a150b47f0aae511a4677933d86482604419e609308e2c97e244e1eb12111e
Instruction ID: a22d87b77e0d575c34684f93073d7cbc68d7d0564edd1c7b414df2b1e46c01d6
Opcode Fuzzy Hash: 292a150b47f0aae511a4677933d86482604419e609308e2c97e244e1eb12111e
Instruction Fuzzy Hash: 93516F35701604EFCF14EB68C999FAE77A5AF89710F148168F906AB392DA38ED01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007A766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007A774A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 137ddfd0232708e3b58a8764eb2c3eda55301eb74d4565348677704d51d6fb2f
Instruction ID: 48b5c256e0d6ed4c79c73a187a3019fe57ee0336b217374985f9d79cbf4b77c5
Opcode Fuzzy Hash: 137ddfd0232708e3b58a8764eb2c3eda55301eb74d4565348677704d51d6fb2f
Instruction Fuzzy Hash: 46318579208A02DFC7289F19C894A22F7E4FF8A310754C66DE9498B765E734D891CB94

Uniqueness

Uniqueness Score: -1.00%

Function 007A5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 007A5CF6

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 103c4d65d115a673dd76e0b23597f42cc17f39a3d19f729694afe327a411c6c1
Instruction ID: d491a75f7c208c6ed9a9863cd4d4188e705f2fa8ad0cfc704032cd5691628c35
Opcode Fuzzy Hash: 103c4d65d115a673dd76e0b23597f42cc17f39a3d19f729694afe327a411c6c1
Instruction Fuzzy Hash: 43316C31A00B0AEFCB18DF2DC484A6DB7B1FF89320F148629E81993714D735B960DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007E00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007E00E1

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5607c34372f83d98bcc0700cd6eaac483cd4a49643206ac0e5ae54f55b65f82a
Instruction ID: bd2bbb65fd708cf39a26bb68c321328c131765fc11b63d27ecc58592aca868cc
Opcode Fuzzy Hash: 5607c34372f83d98bcc0700cd6eaac483cd4a49643206ac0e5ae54f55b65f82a
Instruction Fuzzy Hash: A3411B74608351DFDB24DF14C488B1ABBE0BF86314F1989ACE9994B362C379EC85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007A4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A4D13: FreeLibrary.KERNEL32(00000000,?), ref: 007A4D4D

Part of subcall function 007C548B: __wfsopen.LIBCMT ref: 007C5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007A4F6F

Part of subcall function 007A4CC8: FreeLibrary.KERNEL32(00000000), ref: 007A4D02

Part of subcall function 007A4DD0: _memmove.LIBCMT ref: 007A4E1A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: cba64db2f25f6d33a5a0328633a2e727cfa96fdb24d98915f1b4c7fdc1ca4148
Instruction ID: a5b5ec4e18e2490f1cf6fdb5ae71da607f6dec534218ca9f20b453637bcfd7ac
Opcode Fuzzy Hash: cba64db2f25f6d33a5a0328633a2e727cfa96fdb24d98915f1b4c7fdc1ca4148
Instruction Fuzzy Hash: 9A11E732700205EACF24AF74DC0AF6E77A59FC1710F10963EF541A62C2DABA9A059B60

Uniqueness

Uniqueness Score: -1.00%

Function 007E01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 007E01BB

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0d197b857f97df585e271703656019992eeaa7d05d3d57d23c7b73101276a5d2
Instruction ID: e3f6368411862348ce8b642b050675168343e9f3eae5bff20a7b107c1524dea5
Opcode Fuzzy Hash: 0d197b857f97df585e271703656019992eeaa7d05d3d57d23c7b73101276a5d2
Instruction Fuzzy Hash: 73212474608341DFCB24DF64C445B1ABBE0BF8A314F048A6CE98A47722D739E885CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007A5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,007A5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 007A5D76

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c6e33dda6c3a5e093195cd70f2705bdecf310e65840531a3f1d0edc4a3636211
Instruction ID: 8dd64f265d723a2cc1957f179125ddf355f9980489d9c98ba266ec144699ae6b
Opcode Fuzzy Hash: c6e33dda6c3a5e093195cd70f2705bdecf310e65840531a3f1d0edc4a3636211
Instruction Fuzzy Hash: 75113A31200B019FD3308F15C488B66B7E9FF86760F10CA2EE5AA86A50D774E945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 007C0941 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411600ee5b60323fd304e9777ef0334b2049183b6d4d572a11f42ac8270b644a
Instruction ID: 9f78d473ddcbe4f11df4e06f8ede324fd281192e9785a4b4914e8d512626abfc
Opcode Fuzzy Hash: 411600ee5b60323fd304e9777ef0334b2049183b6d4d572a11f42ac8270b644a
Instruction Fuzzy Hash: C7018437509581CFA62587A59889F60BBB9FB8372431D92DD94499B023C674B81487D1

Uniqueness

Uniqueness Score: -1.00%

Function 007A7F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007A7F82

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 81493697be757b975a0c6ed5652a7c4d93deff9418cd33d5771e7bc70a58f4b3
Instruction ID: c880606287975d8451d39a48cf92058b49125d018adad589422ce0cee9d6bcd8
Opcode Fuzzy Hash: 81493697be757b975a0c6ed5652a7c4d93deff9418cd33d5771e7bc70a58f4b3
Instruction Fuzzy Hash: A901F972204701BED7245F38CC06F67BB98EB85760F10862EF55ACB1D1EA35E541C790

Uniqueness

Uniqueness Score: -1.00%

Function 007C4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 007C4AD6

Part of subcall function 007C8D68: __getptd_noexit.LIBCMT ref: 007C8D68

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2d2f14637d0c1a3bd8875c03ef9a15b100a36d87f1ecc6d1fe144205833dc146
Instruction ID: 1ac33d48d0ebc289633118868870c65bde6b32b9397b339209d30948c0a37350
Opcode Fuzzy Hash: 2d2f14637d0c1a3bd8875c03ef9a15b100a36d87f1ecc6d1fe144205833dc146
Instruction Fuzzy Hash: 40F0A471940219DBDFA1AF748C0AF9E77A1AF00325F04851CF8249A1D1CB7C8D51DF52

Uniqueness

Uniqueness Score: -1.00%

Function 007A4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007A4FDE

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 922a45ace3b99b319c04cfcd126566bca11f68ce6127f1edecb9ab237c960c9e
Instruction ID: 68b9ce0b8f225ce397679452958de42e4bfda711cd03e2b90a8df59a507cd139
Opcode Fuzzy Hash: 922a45ace3b99b319c04cfcd126566bca11f68ce6127f1edecb9ab237c960c9e
Instruction Fuzzy Hash: C8F03971105712CFCB349F64E494812BBF1BF8632A3289B3EE1D682610C7BAA891DF40

Uniqueness

Uniqueness Score: -1.00%

Function 007C09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C09F4

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 1f20398e7d6f7119f0c6035a6346e876c3bc86844bd921c6f2a6f2a6f9c8dc7c
Instruction ID: d97774c1c6d6a8d1b62c63133980c91c6936398502501450f6ed348c48b48274
Opcode Fuzzy Hash: 1f20398e7d6f7119f0c6035a6346e876c3bc86844bd921c6f2a6f2a6f9c8dc7c
Instruction Fuzzy Hash: 24E08676A0422897C720D6989C09FFA77EDDF89690F0441B6FD4CD7205D9649C818690

Uniqueness

Uniqueness Score: -1.00%

Function 00809129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0080914B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 6326f99085548119f8c3d84f4b891675b41c72911e2dc6d535faebc922853fc3
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: C2E06DB0604B009BD7748A24D815BA373E0FB06315F00091CF2DAC3242EB66B8418759

Uniqueness

Uniqueness Score: -1.00%

Function 007A5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,007DE16B,?,?,00000000), ref: 007A5DBF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ab16f5beaa08cc93cd3d5c3ef1b712660d00820203b43616aa4452a0480e38b5
Instruction ID: 6c94d5dfbbb28879951166047cd906c62ce934fcf08f346d9864be9983b8b674
Opcode Fuzzy Hash: ab16f5beaa08cc93cd3d5c3ef1b712660d00820203b43616aa4452a0480e38b5
Instruction Fuzzy Hash: D0D0C77464020CBFE710DB80DC46FA9777CE705710F500194FE0456290D6B27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 007C548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 007C5496

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4a6469cda14a7cdaa1fc6fb435ce0075d1a08b5e7703fc8486f7507082bed3fa
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: A0B0927684020CB7DE012E82EC02F593B199B40779F808024FB0C18162A677A6A09689

Uniqueness

Uniqueness Score: -1.00%

Function 0080D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0080D46A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 13c59cac91ba7ae125a356ca0caac8514e0d6a8983f4fb08bdcaf2bf89180720
Instruction ID: c48e5bafd1732cdd88ad328084a7a0a9246ab8c7a1fb8e9bc5ceb1178b5d2426
Opcode Fuzzy Hash: 13c59cac91ba7ae125a356ca0caac8514e0d6a8983f4fb08bdcaf2bf89180720
Instruction Fuzzy Hash: 87716F30204701CFC754EF64C895A6AB7E4FF89314F044A6DF9969B2A2DB34E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007C0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007C0EF7

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: fa7343088696bd816139d144ebfcbbe4415d5695af5303c2e47e55572dba193b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1831C271A40105DFC718EF58D480A69FBA6FF59300B688AADE40ACB651DB35EDC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01102300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01102311

Memory Dump Source

Source File: 00000001.00000002.1287480188.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1100000_Payment.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 25c8734f981d3987bcbebc289fa7c08aaaf8997e4ab2042b3c6f7656dfe14fb9
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 85E0BF7494410D9FDB00EFB4D54969E7BB4EF04301F100561FD0192281D77099508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0082CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0082CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0082CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0082CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0082CF00
SendMessageW.USER32 ref: 0082CF29
_wcsncpy.LIBCMT ref: 0082CFA1
GetKeyState.USER32(00000011), ref: 0082CFC2
GetKeyState.USER32(00000009), ref: 0082CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0082CFE5
GetKeyState.USER32(00000010), ref: 0082CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0082D018
SendMessageW.USER32 ref: 0082D03F
SendMessageW.USER32(?,00001030,?,0082B602), ref: 0082D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0082D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0082D16E
SetCapture.USER32(?), ref: 0082D177
ClientToScreen.USER32(?,?), ref: 0082D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0082D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0082D203
ReleaseCapture.USER32 ref: 0082D20E
GetCursorPos.USER32(?), ref: 0082D248
ScreenToClient.USER32(?,?), ref: 0082D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0082D2B1
SendMessageW.USER32 ref: 0082D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0082D31C
SendMessageW.USER32 ref: 0082D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0082D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0082D37B
GetCursorPos.USER32(?), ref: 0082D39B
ScreenToClient.USER32(?,?), ref: 0082D3A8
GetParent.USER32(?), ref: 0082D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0082D431
SendMessageW.USER32 ref: 0082D462
ClientToScreen.USER32(?,?), ref: 0082D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0082D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0082D51A
SendMessageW.USER32 ref: 0082D53D
ClientToScreen.USER32(?,?), ref: 0082D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0082D5C3

Part of subcall function 007A25DB: GetWindowLongW.USER32(?,000000EB), ref: 007A25EC

GetWindowLongW.USER32(?,000000F0), ref: 0082D65F

Strings

F, xrefs: 0082D543
@GUI_DRAGID, xrefs: 0082D1AA

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 8f9659a0ecb99feaa8a2ba421d500b8165a3eee9c9fae62087952f2084f4bb99
Instruction ID: b3752c2dcac1e01dab88b0ef175d7d9faa04d3d884dd415659b8ba9f55f17998
Opcode Fuzzy Hash: 8f9659a0ecb99feaa8a2ba421d500b8165a3eee9c9fae62087952f2084f4bb99
Instruction Fuzzy Hash: 1442CB74204351AFCB20CF28D848EAABBF5FF88314F15462DF695C72A1D771A895CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0082804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0082873F

Strings

%d/%02d/%02d, xrefs: 00828478

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: cc4d3f1b3ed5cf72919d73eeb2a23d6168e91526564aca4a6f258b7436558832
Instruction ID: 009370308d81bafd33c84bc07c852c875d343aa477c78c3c023a8551b7910a6f
Opcode Fuzzy Hash: cc4d3f1b3ed5cf72919d73eeb2a23d6168e91526564aca4a6f258b7436558832
Instruction Fuzzy Hash: F212C171501228EFEF258F64EC49FAA7BB8FF49714F104129F915EA2A1EF748981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007B710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007B75C2
_memset.LIBCMT ref: 007B76B1
_memmove.LIBCMT ref: 007B7C4B
_memmove.LIBCMT ref: 007B7E4F

Strings

[:>:]], xrefs: 007B760A
[:<:]], xrefs: 007B75F1
Q\E, xrefs: 007B81C1
\b(?<=\w), xrefs: 007F3C41
DEFINE, xrefs: 007F25AF
Oa{, xrefs: 007F287E
\b(?=\w), xrefs: 007F3C34

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Oa{$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2822103939
Opcode ID: 2635fc4aeb8e113cc4a6c58143b706d30c4c30c4525f12d4053285bbec2645c3
Instruction ID: 94326317a94c6cf033ee93f18cd91e05cacabe087b5850b7a8ea1b92d55cb69d
Opcode Fuzzy Hash: 2635fc4aeb8e113cc4a6c58143b706d30c4c30c4525f12d4053285bbec2645c3
Instruction Fuzzy Hash: 68936F71A04219DBDB24CF58C881BBDB7B1FF48710F25816AEA55EB381E7789E81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007A4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 007A4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007DDA8E
IsIconic.USER32(?), ref: 007DDA97
ShowWindow.USER32(?,00000009), ref: 007DDAA4
SetForegroundWindow.USER32(?), ref: 007DDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007DDAC4
GetCurrentThreadId.KERNEL32 ref: 007DDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 007DDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 007DDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 007DDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 007DDAF8
SetForegroundWindow.USER32(?), ref: 007DDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 007DDB10
keybd_event.USER32(00000012,00000000), ref: 007DDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 007DDB25
keybd_event.USER32(00000012,00000000), ref: 007DDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007DDB33
keybd_event.USER32(00000012,00000000), ref: 007DDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 007DDB42
keybd_event.USER32(00000012,00000000), ref: 007DDB47
SetForegroundWindow.USER32(?), ref: 007DDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 007DDB71

Strings

Shell_TrayWnd, xrefs: 007DDA89

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 4014ee3aaa8ca27968572514aaf0b0dfecec32b795c319124688cdb4d8656ebc
Instruction ID: 157b55dd9e4281114f452f2df311e79774e55d185a75f1bdb52fa3ffa0fc9f5d
Opcode Fuzzy Hash: 4014ee3aaa8ca27968572514aaf0b0dfecec32b795c319124688cdb4d8656ebc
Instruction Fuzzy Hash: B5313071A40218BBEB316BA19D49F7E3E7CEB44B50F118036FA05AA291D6B45D01EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 007F8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 007F8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007F8D0D
Part of subcall function 007F8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007F8D3A
Part of subcall function 007F8CC3: GetLastError.KERNEL32 ref: 007F8D47

_memset.LIBCMT ref: 007F889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007F88ED
CloseHandle.KERNEL32(?), ref: 007F88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007F8915
GetProcessWindowStation.USER32 ref: 007F892E
SetProcessWindowStation.USER32(00000000), ref: 007F8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007F8952

Part of subcall function 007F8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007F8851), ref: 007F8728
Part of subcall function 007F8713: CloseHandle.KERNEL32(?,?,007F8851), ref: 007F873A

Strings

default, xrefs: 007F894D
, xrefs: 007F88AA
winsta0, xrefs: 007F8910

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: cadd18bcc7b8eacfecd753612e627606ce700fd2c8717e283e85a0383c3299ce
Instruction ID: f55b1555124f8bf79bb3af395aac4a64ceed7f9b52d3ac2b9a59631a534cd3d1
Opcode Fuzzy Hash: cadd18bcc7b8eacfecd753612e627606ce700fd2c8717e283e85a0383c3299ce
Instruction Fuzzy Hash: 81812B7190024DAFDF51DFA4DC49ABE7BB8FF04304F18816AFA10A6261DB398A15DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0081425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0082F910), ref: 00814284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00814292
GetClipboardData.USER32(0000000D), ref: 0081429A
CloseClipboard.USER32 ref: 008142A6
GlobalLock.KERNEL32(00000000), ref: 008142C2
CloseClipboard.USER32 ref: 008142CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 008142E1
IsClipboardFormatAvailable.USER32(00000001), ref: 008142EE
GetClipboardData.USER32(00000001), ref: 008142F6
GlobalLock.KERNEL32(00000000), ref: 00814303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00814337
CloseClipboard.USER32 ref: 00814447

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 5bade93f3f9be0304a8477b9c125539dddecd49935a6502c2c8a2ac06160107a
Instruction ID: aad2cf15b09a5706372bd73ce17877103e37c7d1d43983927b34f3b194df69fb
Opcode Fuzzy Hash: 5bade93f3f9be0304a8477b9c125539dddecd49935a6502c2c8a2ac06160107a
Instruction Fuzzy Hash: 81518071204205ABD311AF64DC8AFAE77BCFF85B00F108639F655D21A2DB74D945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0080C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0080C9F8
FindClose.KERNEL32(00000000), ref: 0080CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0080CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0080CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0080CAAF
__swprintf.LIBCMT ref: 0080CAFB
__swprintf.LIBCMT ref: 0080CB3E

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

__swprintf.LIBCMT ref: 0080CB92

Part of subcall function 007C38D8: __woutput_l.LIBCMT ref: 007C3931

__swprintf.LIBCMT ref: 0080CBE0

Part of subcall function 007C38D8: __flsbuf.LIBCMT ref: 007C3953
Part of subcall function 007C38D8: __flsbuf.LIBCMT ref: 007C396B

__swprintf.LIBCMT ref: 0080CC2F
__swprintf.LIBCMT ref: 0080CC7E
__swprintf.LIBCMT ref: 0080CCCD

Strings

%02d, xrefs: 0080CB86, 0080CB90, 0080CBDE, 0080CC2D, 0080CC7C, 0080CCCB
%4d, xrefs: 0080CB38
%4d%02d%02d%02d%02d%02d, xrefs: 0080CAF5

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 1263d9b20ece27039f3a230be23db444d9c7a77ab1c9ca2b43b5fde8065cf438
Instruction ID: 34c420021c8db5852a34bbeaadecd0bde397c98bf72a899d5178c07b9fb58fa3
Opcode Fuzzy Hash: 1263d9b20ece27039f3a230be23db444d9c7a77ab1c9ca2b43b5fde8065cf438
Instruction Fuzzy Hash: 76A11FB1508305EBC754EB64CC8ADAFB7ECFF95700F404A2DB685D6191EA38DA09C762

Uniqueness

Uniqueness Score: -1.00%

Function 0080F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0080F221
_wcscmp.LIBCMT ref: 0080F236
_wcscmp.LIBCMT ref: 0080F24D
GetFileAttributesW.KERNEL32(?), ref: 0080F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0080F279
FindNextFileW.KERNEL32(00000000,?), ref: 0080F291
FindClose.KERNEL32(00000000), ref: 0080F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0080F2B8
_wcscmp.LIBCMT ref: 0080F2DF
_wcscmp.LIBCMT ref: 0080F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0080F308
SetCurrentDirectoryW.KERNEL32(0085A5A0), ref: 0080F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0080F330
FindClose.KERNEL32(00000000), ref: 0080F33D
FindClose.KERNEL32(00000000), ref: 0080F34F

Strings

*.*, xrefs: 0080F2B3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: d357a0d599f7f2168edd0c8d0cb807e3bfc44d48dd145187997cc1e145058bae
Instruction ID: 95d3bab53f1293b64b5acf19c7d7cb63b69dd9ccb8862c6ce0d76743d721242d
Opcode Fuzzy Hash: d357a0d599f7f2168edd0c8d0cb807e3bfc44d48dd145187997cc1e145058bae
Instruction Fuzzy Hash: 0E31C576501219AADB70DBB4DC89EDE73ACFF09361F108279EA10E31D2EB34DA45CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00820AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00820BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0082F910,00000000,?,00000000,?,?), ref: 00820C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00820C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00820D1D
RegCloseKey.ADVAPI32(?), ref: 0082103D
RegCloseKey.ADVAPI32(00000000), ref: 0082104A

Strings

REG_SZ, xrefs: 00820D5B
REG_BINARY, xrefs: 00820FD8
REG_EXPAND_SZ, xrefs: 00820CBA
REG_MULTI_SZ, xrefs: 00820E05
REG_DWORD, xrefs: 00820F0E
REG_QWORD, xrefs: 00820F8B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 178d432c6d01f10c70defb7d7cda97379b03a40f058c6bbe1fb98442b0e86758
Instruction ID: a33791806012a14756a2e25f96c83fd0617b9f322411932d9982b14852910ec6
Opcode Fuzzy Hash: 178d432c6d01f10c70defb7d7cda97379b03a40f058c6bbe1fb98442b0e86758
Instruction Fuzzy Hash: CE023775200611EFCB14EF24D889A2AB7E5FF89714F04895DF98A9B362DB34ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0080F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0080F37E
_wcscmp.LIBCMT ref: 0080F393
_wcscmp.LIBCMT ref: 0080F3AA

Part of subcall function 008045C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008045DC

FindNextFileW.KERNEL32(00000000,?), ref: 0080F3D9
FindClose.KERNEL32(00000000), ref: 0080F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0080F400
_wcscmp.LIBCMT ref: 0080F427
_wcscmp.LIBCMT ref: 0080F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0080F450
SetCurrentDirectoryW.KERNEL32(0085A5A0), ref: 0080F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0080F478
FindClose.KERNEL32(00000000), ref: 0080F485
FindClose.KERNEL32(00000000), ref: 0080F497

Strings

*.*, xrefs: 0080F3FB

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: bf99360d086cf5c681c3b54c01ea0856e34d2e93a000302bdd57f18324c2556b
Instruction ID: 037b59ee274669c893f469afdb3abb5ade2c6cb7e3f9c27d4b6658286b18f889
Opcode Fuzzy Hash: bf99360d086cf5c681c3b54c01ea0856e34d2e93a000302bdd57f18324c2556b
Instruction Fuzzy Hash: 1831D5715016196ACB20ABA4EC88EDE77ACFF05321F108275EE10E21E2D734DA45CA54

Uniqueness

Uniqueness Score: -1.00%

Function 007F81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007F8766
Part of subcall function 007F874A: GetLastError.KERNEL32(?,007F822A,?,?,?), ref: 007F8770
Part of subcall function 007F874A: GetProcessHeap.KERNEL32(00000008,?,?,007F822A,?,?,?), ref: 007F877F
Part of subcall function 007F874A: HeapAlloc.KERNEL32(00000000,?,007F822A,?,?,?), ref: 007F8786
Part of subcall function 007F874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007F879D

Part of subcall function 007F87E7: GetProcessHeap.KERNEL32(00000008,007F8240,00000000,00000000,?,007F8240,?), ref: 007F87F3
Part of subcall function 007F87E7: HeapAlloc.KERNEL32(00000000,?,007F8240,?), ref: 007F87FA
Part of subcall function 007F87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007F8240,?), ref: 007F880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007F825B
_memset.LIBCMT ref: 007F8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007F828F
GetLengthSid.ADVAPI32(?), ref: 007F82A0
GetAce.ADVAPI32(?,00000000,?), ref: 007F82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007F82F9
GetLengthSid.ADVAPI32(?), ref: 007F8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007F8325
HeapAlloc.KERNEL32(00000000), ref: 007F832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007F834D
CopySid.ADVAPI32(00000000), ref: 007F8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007F8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007F83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007F83BF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: dd9fcbe3fd06146bcff1322c5e09fbfb9b15c10953f7231f863d101e27dd22ed
Instruction ID: 93197c7a851da33f458bc9d71b7677f7fb154377f799621c539931fa70b6028d
Opcode Fuzzy Hash: dd9fcbe3fd06146bcff1322c5e09fbfb9b15c10953f7231f863d101e27dd22ed
Instruction Fuzzy Hash: D5615A71900219EBDF10DFA4DC85EFEBBB9FF04700F148129EA15A63A1DB399A05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

LF), xrefs: 007F16DD
BSR_ANYCRLF), xrefs: 007F1757
BSR_UNICODE), xrefs: 007F1771
LIMIT_MATCH=, xrefs: 007F15A9
LIMIT_RECURSION=, xrefs: 007F1635
NO_START_OPT), xrefs: 007F1588
UTF16), xrefs: 007F1508
NO_AUTO_POSSESS), xrefs: 007F1567
ANYCRLF), xrefs: 007F1734
UCP), xrefs: 007F1546
ANY), xrefs: 007F1717
UTF), xrefs: 007F1533
Oa{, xrefs: 007F1888, 007F192F, 007F19DD
CR), xrefs: 007F16C0
CRLF), xrefs: 007F16FA

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa{$UCP)$UTF)$UTF16)
API String ID: 0-2780239882
Opcode ID: f8652919fef2a6613d383bab1e047e81c83b1ac550102ddcc6750a34964a31ce
Instruction ID: a6697075603239852974939b888d24aac6cb43c2711c46600b415e74f67373c8
Opcode Fuzzy Hash: f8652919fef2a6613d383bab1e047e81c83b1ac550102ddcc6750a34964a31ce
Instruction Fuzzy Hash: 6C724D75E00219DADB14DF58C8907FEB7B5FF48310F54816AEA49EB390EB789981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00820665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00820038,?,?), ref: 008210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00820737

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008207D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0082086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00820AAD
RegCloseKey.ADVAPI32(00000000), ref: 00820ABA

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 078e82d4a433d39ebada2b1135dfe80bf3683597cc0c225492cce35025df5719
Instruction ID: 1a47df2537b04c59a413d85bd1178a3328aecc80a71a7d4b9a679c586e4c6d45
Opcode Fuzzy Hash: 078e82d4a433d39ebada2b1135dfe80bf3683597cc0c225492cce35025df5719
Instruction Fuzzy Hash: 71E12A71204224EFCB14DF28D885E6ABBF8FF89714B04856DF94ADB262DA34E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00800219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00800241
GetAsyncKeyState.USER32(000000A0), ref: 008002C2
GetKeyState.USER32(000000A0), ref: 008002DD
GetAsyncKeyState.USER32(000000A1), ref: 008002F7
GetKeyState.USER32(000000A1), ref: 0080030C
GetAsyncKeyState.USER32(00000011), ref: 00800324
GetKeyState.USER32(00000011), ref: 00800336
GetAsyncKeyState.USER32(00000012), ref: 0080034E
GetKeyState.USER32(00000012), ref: 00800360
GetAsyncKeyState.USER32(0000005B), ref: 00800378
GetKeyState.USER32(0000005B), ref: 0080038A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ec30534bc963e5f2151bfbe3d5e1bd27302016bb07027862e02aee33745217e3
Instruction ID: 65460e6cc83295f8d7ec7ffea3637abb485250e1e54ceb413fa7802e7a3d235a
Opcode Fuzzy Hash: ec30534bc963e5f2151bfbe3d5e1bd27302016bb07027862e02aee33745217e3
Instruction Fuzzy Hash: 00418A245047C96EFFB25B648D083B5BEA1FF12344F08815DD5C5D62C2D79459C4CF92

Uniqueness

Uniqueness Score: -1.00%

Function 008186D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

CoInitialize.OLE32 ref: 00818718
CoUninitialize.OLE32 ref: 00818723
CoCreateInstance.OLE32(?,00000000,00000017,00832BEC,?), ref: 00818783
IIDFromString.OLE32(?,?), ref: 008187F6
VariantInit.OLEAUT32(?), ref: 00818890
VariantClear.OLEAUT32(?), ref: 008188F1

Strings

Invalid parameter, xrefs: 0081880F
Failed to create object, xrefs: 0081878E, 00818844
NULL Pointer assignment, xrefs: 008187C8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9b2cde13b63159ea40a6480b4603e28f86870c3a2e33d68e6149fee75a875162
Instruction ID: c488b2b16c78531c3ce9b4e00ed6fe5f0d34d613f1416dad773ec038b7e4c152
Opcode Fuzzy Hash: 9b2cde13b63159ea40a6480b4603e28f86870c3a2e33d68e6149fee75a875162
Instruction Fuzzy Hash: 2D617E70608301DFD710DF24C98AAAABBE8FF85714F144929F995DB291CB74ED84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00814458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0081447F
EmptyClipboard.USER32 ref: 00814485
GlobalAlloc.KERNEL32(00000002,?), ref: 0081449A
CloseClipboard.USER32 ref: 00814539

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 75bfadf0e1b7a461f75e882424d43bf61ec2b394e7db7187817096a08d14207c
Instruction ID: f6c58ba5d5b915f93fc7477be6d2bff5eaa1f0e3816bac52fa0c2d02ca3b37eb
Opcode Fuzzy Hash: 75bfadf0e1b7a461f75e882424d43bf61ec2b394e7db7187817096a08d14207c
Instruction Fuzzy Hash: 2E215C35201214DFDB20AF64EC09BA977A8FF54715F10C02AFA46DB2B2DB74A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00803A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007A48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007A48A1,?,?,007A37C0,?), ref: 007A48CE

Part of subcall function 00804CD3: GetFileAttributesW.KERNEL32(?,00803947), ref: 00804CD4

FindFirstFileW.KERNEL32(?,?), ref: 00803ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00803B87
MoveFileW.KERNEL32(?,?), ref: 00803B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00803BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00803BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00803BF5

Strings

\*.*, xrefs: 00803A8A, 00803A93, 00803AA8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: c73c39f82d4665cd0f5c496bf511b65a068cc15358968bfa907aba8c5aed978a
Instruction ID: 18af4f87d8236282dc0b237d8694d424375bce3836f70d07dc429ee7d2c77850
Opcode Fuzzy Hash: c73c39f82d4665cd0f5c496bf511b65a068cc15358968bfa907aba8c5aed978a
Instruction Fuzzy Hash: A9519D3190114C9ACF15EBA0CE968EDB7B8FF55314F2442A9E442B7092EF356F09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007B44DB
VUUU, xrefs: 007E7B0C
VUUU, xrefs: 007B4520
VUUU, xrefs: 007B44ED
ERCP, xrefs: 007B421F
Oa{, xrefs: 007B4984, 007E8173

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID: ERCP$Oa{$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1305645865
Opcode ID: eabd216267d4cbd29e943a53f9a44ea8b01a2b26427b796f770357a14396f85a
Instruction ID: 7cd3672e436336cefcafc773a1143d4c5a802249370e054d0769d89bbda253fa
Opcode Fuzzy Hash: eabd216267d4cbd29e943a53f9a44ea8b01a2b26427b796f770357a14396f85a
Instruction Fuzzy Hash: 37A29070E0525ACBDF28CF59C9807EDB7B1FF54314F1481AAD85AA7282E7389E81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0080F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0080F6AB
Sleep.KERNEL32(0000000A), ref: 0080F6DB
_wcscmp.LIBCMT ref: 0080F6EF
_wcscmp.LIBCMT ref: 0080F70A
FindNextFileW.KERNEL32(?,?), ref: 0080F7A8
FindClose.KERNEL32(00000000), ref: 0080F7BE

Strings

*.*, xrefs: 0080F690

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: bf7c8f6d9a439bce6babda78707474a74a44c15bf83e752c15a10e64359fc54d
Instruction ID: 2fc7fcd1cc93059fed959b961e477be96b85f3b954b972753b522ab65348538f
Opcode Fuzzy Hash: bf7c8f6d9a439bce6babda78707474a74a44c15bf83e752c15a10e64359fc54d
Instruction Fuzzy Hash: 7A41AF7190420A9FCF65DF64CC89AEEBBB4FF05310F14856AE914E2292EB349E44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007B58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007B5A05
_memmove.LIBCMT ref: 007B5A55
_memmove.LIBCMT ref: 007B5ABB

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4e0da4f16910ed8d65d1ed386521398c5b59255665a6a2671b08cae710faaa25
Instruction ID: 3ce640aa94c17f201c1c3b0703cbffc28a3a6a15c8bffae7c5dff69ab99c8dd7
Opcode Fuzzy Hash: 4e0da4f16910ed8d65d1ed386521398c5b59255665a6a2671b08cae710faaa25
Instruction Fuzzy Hash: 39126970A00609DFDF14DFA4D985BEEB7B5FF48300F108669E406A7292EB39AD51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007B5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 007C0FF6: std::exception::exception.LIBCMT ref: 007C102C
Part of subcall function 007C0FF6: __CxxThrowException@8.LIBCMT ref: 007C1041

_memmove.LIBCMT ref: 007F062F
_memmove.LIBCMT ref: 007F0744
_memmove.LIBCMT ref: 007F07EB

Strings

yZ{, xrefs: 007F0881, 007F07FF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ{
API String ID: 1300846289-602052519
Opcode ID: c7c7d5cfbf60babbb5be71868daf553c3cec788a54f757b1fd871295e2fca93e
Instruction ID: 3753617838676a170d16ca64b78d5d628efe067ba801d8bfc14a17a1ad571229
Opcode Fuzzy Hash: c7c7d5cfbf60babbb5be71868daf553c3cec788a54f757b1fd871295e2fca93e
Instruction Fuzzy Hash: 0A025CB0A00209DBDF04DF64D985ABEBBB5FF84310F1480A9E906DB356EB39D951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0080545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007F8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007F8D0D
Part of subcall function 007F8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007F8D3A
Part of subcall function 007F8CC3: GetLastError.KERNEL32 ref: 007F8D47

ExitWindowsEx.USER32(?,00000000), ref: 0080549B

Strings

@, xrefs: 0080548E
SeShutdownPrivilege, xrefs: 0080546B
, xrefs: 00805489

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7a7a7a76dc9e1e563b8e998bc17a533fb46a01e3efe19fbd39964313a67eb262
Instruction ID: 3622ebd958eac5df236e060e730ebad3470376acad6c2c9414d9148ffe2381b5
Opcode Fuzzy Hash: 7a7a7a76dc9e1e563b8e998bc17a533fb46a01e3efe19fbd39964313a67eb262
Instruction Fuzzy Hash: 490124B1654E096AF7F866789C4ABFB7268FB05352F200531FE06D21D3DA540C8089B8

Uniqueness

Uniqueness Score: -1.00%

Function 007B3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa{, xrefs: 007B3482

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa{
API String ID: 674341424-1068949949
Opcode ID: d65dd35b1ffde559880e9586925e41b5ef662de6f1232d10d8849a4707d26f14
Instruction ID: 40ccc4f32db7de56f3430f719832d60f2b9b9a045ab5b50068e0025b6c134c8b
Opcode Fuzzy Hash: d65dd35b1ffde559880e9586925e41b5ef662de6f1232d10d8849a4707d26f14
Instruction Fuzzy Hash: 96228A71608341DFC724DF24C885BABB7E4BF89704F10492DF59697291EB38EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00816596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008165EF
WSAGetLastError.WSOCK32(00000000), ref: 008165FE
bind.WSOCK32(00000000,?,00000010), ref: 0081661A
listen.WSOCK32(00000000,00000005), ref: 00816629
WSAGetLastError.WSOCK32(00000000), ref: 00816643
closesocket.WSOCK32(00000000,00000000), ref: 00816657

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: b1b4801bc4933b657c70c594b70ebafe72df4793f393fd86abf9b470bdf1fffe
Instruction ID: 957412fed1316267086eb766711afe1c821842f4bba870ba369eb0b99a0f07ed
Opcode Fuzzy Hash: b1b4801bc4933b657c70c594b70ebafe72df4793f393fd86abf9b470bdf1fffe
Instruction Fuzzy Hash: A4218F31200604DFCB10AF64C849AAEB7B9FF45720F148269FA56E73E2DB74AD51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007A1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 007A19FA
GetSysColor.USER32(0000000F), ref: 007A1A4E
SetBkColor.GDI32(?,00000000), ref: 007A1A61

Part of subcall function 007A1290: DefDlgProcW.USER32(?,00000020,?), ref: 007A12D8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: b0132e960fc2c7f90940d1c3b1dfef6e35ebb97a17a2ec4ef0a93eab359ef8b3
Instruction ID: 467fba3e43fbb4e54a3bb4a4293db1bec7405ef50ce24a31c62bb12979afaa59
Opcode Fuzzy Hash: b0132e960fc2c7f90940d1c3b1dfef6e35ebb97a17a2ec4ef0a93eab359ef8b3
Instruction Fuzzy Hash: ADA147B1105594FAF628AB395C48DBF26ADFBC3341F96831BF402D6292DE1C9D41D2B2

Uniqueness

Uniqueness Score: -1.00%

Function 00816A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008180A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008180CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00816AB1
WSAGetLastError.WSOCK32(00000000), ref: 00816ADA
bind.WSOCK32(00000000,?,00000010), ref: 00816B13
WSAGetLastError.WSOCK32(00000000), ref: 00816B20
closesocket.WSOCK32(00000000,00000000), ref: 00816B34

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d2516676519439649c134c29a1554ef80f0a53e1550771ae43d1e7796a7b3bbd
Instruction ID: feda0e5dfedb301ea3fb11fb22e7a0285801cf3c9a8610ca33c0de767cb4f18a
Opcode Fuzzy Hash: d2516676519439649c134c29a1554ef80f0a53e1550771ae43d1e7796a7b3bbd
Instruction Fuzzy Hash: BB41C675B00214EFEB10AF24DC8AF6E77A8EF85710F008158FA45AB3D2DA749D118791

Uniqueness

Uniqueness Score: -1.00%

Function 008255FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0082564C
IsWindowEnabled.USER32 ref: 0082565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00825667
IsIconic.USER32 ref: 00825675
IsZoomed.USER32 ref: 00825683

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f478da335a040de284951ee834a79fa6d421cd09f016806e72c51fc3ea646e9a
Instruction ID: dba5b1690d9f4184dd847c55b975c0b14a1faf963e0524577c57fae9edf8ff64
Opcode Fuzzy Hash: f478da335a040de284951ee834a79fa6d421cd09f016806e72c51fc3ea646e9a
Instruction Fuzzy Hash: E011E731740921AFE7211F26EC48B6F77A9FFA5721B448039F906D7252CB34DD42CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 0081C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007E1D88,?), ref: 0081C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0081C324

Strings

kernel32.dll, xrefs: 0081C30D
GetSystemWow64DirectoryW, xrefs: 0081C31E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 27ea6c8363528aa5b81af72ce6031a7050401104a63011894a5b90f373f0da86
Instruction ID: 0afe002be870806534b7e80097ffd6f37a6b78f0b43bf6722e47f6e88867427a
Opcode Fuzzy Hash: 27ea6c8363528aa5b81af72ce6031a7050401104a63011894a5b90f373f0da86
Instruction Fuzzy Hash: EDE0EC74640713CFDB314B25D808A8676E8FF18755F80C43AE9A9D2351E774D8D1CA60

Uniqueness

Uniqueness Score: -1.00%

Function 0081F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0081F151
Process32FirstW.KERNEL32(00000000,?), ref: 0081F15F

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Process32NextW.KERNEL32(00000000,?), ref: 0081F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0081F22E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 98fcc9021e7a642ed36b45b700770f5742692707fecf13e338a2cf7605820b75
Instruction ID: d0eabf3cf51a8ab79ecccd45b57ef2c388dcc12c470f1aa73ae125281bf4663d
Opcode Fuzzy Hash: 98fcc9021e7a642ed36b45b700770f5742692707fecf13e338a2cf7605820b75
Instruction Fuzzy Hash: 33514C71504300AFD310EF24DC85AABBBE8FF95710F504A2DF595972A2EB749904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008040B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008040D1
_memset.LIBCMT ref: 008040F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00804144
CloseHandle.KERNEL32(00000000), ref: 0080414D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: a072dcd857088c4556ebd05d9d08fa344f05780159b87fe3a2a4cf3d20e1e168
Instruction ID: f42485ae861f8875752fad84434a1e5334950f1c76d95d5a9566fe50b8fb1065
Opcode Fuzzy Hash: a072dcd857088c4556ebd05d9d08fa344f05780159b87fe3a2a4cf3d20e1e168
Instruction Fuzzy Hash: 3711EB75941228BAD7309BA59C4DFABBB7CEF45760F1041AAFA08E7180D6744E80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007FEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007FEB19

Strings

(, xrefs: 007FEB5F
|, xrefs: 007FEB49

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 25391e88a07b5fb366f66d7df2ff6d57abd0934cdec22b2bc2ecc1a80e2d7bd1
Instruction ID: ebe5ed1efba1f41ff52163ebb4abec20e743eb3861aacf595a96dda11062ec26
Opcode Fuzzy Hash: 25391e88a07b5fb366f66d7df2ff6d57abd0934cdec22b2bc2ecc1a80e2d7bd1
Instruction Fuzzy Hash: C0322575A00605DFD728CF19C481A6AB7F1FF48310B15C56EE99ADB3A1EB70E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 008125E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 008126D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0081270C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 3cba3ac06d572bc450bb9fc1fda5cf470fcc84f9c1bc1635675ca44a404c55fb
Instruction ID: 3fe90aa523e831bb546dc09f42f8df435773efe82c12493c4d24909b81d50a1e
Opcode Fuzzy Hash: 3cba3ac06d572bc450bb9fc1fda5cf470fcc84f9c1bc1635675ca44a404c55fb
Instruction Fuzzy Hash: 6941A071600209BFEB209A94DC85EFBB7BCFF50728F10446EFA05E6181EA719EE19754

Uniqueness

Uniqueness Score: -1.00%

Function 0080B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0080B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0080B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0080B655

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 94cde5c217331e441daba075db9717f6d552c60c74a06415b36ea68bc07c69f1
Instruction ID: d02118d887280fed9af8e6fa2793dd0a7c864fe748500cf8351e57edee138ef0
Opcode Fuzzy Hash: 94cde5c217331e441daba075db9717f6d552c60c74a06415b36ea68bc07c69f1
Instruction Fuzzy Hash: 39219035A00118EFCB00EF65DC85AEDBBB8FF89310F0480A9E905EB361DB31A916CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007F8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007C0FF6: std::exception::exception.LIBCMT ref: 007C102C
Part of subcall function 007C0FF6: __CxxThrowException@8.LIBCMT ref: 007C1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007F8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007F8D3A
GetLastError.KERNEL32 ref: 007F8D47

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 5554b690088465f33a8f50bf8fcf41538b1cedc40146bace536dda37bb10fa7f
Instruction ID: 60e1bc4b5b75fe48d55cac3833d8f2ada3e56c52500dc29814f19a8e027119e6
Opcode Fuzzy Hash: 5554b690088465f33a8f50bf8fcf41538b1cedc40146bace536dda37bb10fa7f
Instruction Fuzzy Hash: 86116DB1514209AFD7289F54DC89D6BB7BCFB44710B20852EF55692242EB34A841CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00804C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00804C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00804C43
FreeSid.ADVAPI32(?), ref: 00804C53

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2ed2162f3b741163a4f0f49bee4d396b0281b1b5308ed94fd0fc1e62bc34cf79
Instruction ID: e42ccc0dced97ce483b27e2560d2924faea0cdbb8eed38833fb2ddbea4aec030
Opcode Fuzzy Hash: 2ed2162f3b741163a4f0f49bee4d396b0281b1b5308ed94fd0fc1e62bc34cf79
Instruction Fuzzy Hash: E7F03C75951308BBDB04DFE09D89AADB7B8FB08201F004469A601E2182D7705A448B50

Uniqueness

Uniqueness Score: -1.00%

Function 007AE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6682982c0655f4b2e4c89239b89ba2ac6f11f34413344d427437622142ab83b
Instruction ID: c086cd78f52b934389d1656c33216a6024026a55bf02b0da21cf5a3d6d97bd16
Opcode Fuzzy Hash: d6682982c0655f4b2e4c89239b89ba2ac6f11f34413344d427437622142ab83b
Instruction Fuzzy Hash: 3F22B070A00219CFDB24DF54C494BAEB7F5FF8A310F148269E8569B391E738AD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0080C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0080C966
FindClose.KERNEL32(00000000), ref: 0080C996

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f955594548db62e78175b1fcf5a201eeb1e8606d8575038dd3d703adf53deaca
Instruction ID: 42f67ec1d72213f7ebe5516a32719d1273f388126bba6b2979300aabb458294a
Opcode Fuzzy Hash: f955594548db62e78175b1fcf5a201eeb1e8606d8575038dd3d703adf53deaca
Instruction Fuzzy Hash: 321152716106049FD710DF29D84996AF7E9FF85324F00C61EF9A5D72A1DB34AC11CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0080A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0081977D,?,0082FB84,?), ref: 0080A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0081977D,?,0082FB84,?), ref: 0080A314

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bda1b1f0d8ae705cb26ae93e1871981586cd4451e0b93baae2e7c9c6731ae679
Instruction ID: 7a9eec340545bc29454778c9c67b86f953d15eb32fa1e06ea8636b0432270086
Opcode Fuzzy Hash: bda1b1f0d8ae705cb26ae93e1871981586cd4451e0b93baae2e7c9c6731ae679
Instruction Fuzzy Hash: 15F0823554532DFBDB209FA4CC49FEA776DFF09761F008266B908D6281D6309940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007F8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007F8851), ref: 007F8728
CloseHandle.KERNEL32(?,?,007F8851), ref: 007F873A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5306788a2ac19fba898f396be0e8384813dd76bf2a5cc69fc2f6f084b598b852
Instruction ID: 37c371cd2d67a85357965d90670f724774847c7256478aeb52d716c268083019
Opcode Fuzzy Hash: 5306788a2ac19fba898f396be0e8384813dd76bf2a5cc69fc2f6f084b598b852
Instruction Fuzzy Hash: D1E0B676010610EEE7352B61EC09E777BA9FB04750B24883DB99680472DB66ACD1DB10

Uniqueness

Uniqueness Score: -1.00%

Function 007CA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,007C8F97,?,?,?,00000001), ref: 007CA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007CA3A3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9dd1281d62af64eff73a7673de1e6e3bac4bd9e7a70b491f554e2dbbc1b23612
Instruction ID: 79e1d731e341581cdd9e4f5eb33024c394ae54fa9b3ff86186777837e361dbd4
Opcode Fuzzy Hash: 9dd1281d62af64eff73a7673de1e6e3bac4bd9e7a70b491f554e2dbbc1b23612
Instruction Fuzzy Hash: F6B09231054208EBCA106B91EC0DB883F78FB44AA2F408030F70D84262CB625452CA91

Uniqueness

Uniqueness Score: -1.00%

Function 007CF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24162710297659ec3cdc51bd3f21550ab5dd480cfb0effb59f33ece379cab26
Instruction ID: 48ad6c59956ad97b53f835c45968cfca022544af86003903ec41f1d0f723cdd6
Opcode Fuzzy Hash: d24162710297659ec3cdc51bd3f21550ab5dd480cfb0effb59f33ece379cab26
Instruction Fuzzy Hash: 19322362D29F454DD7239634DC32336A399AFB73D4F15DB3BE819B5AA6EB28C4834100

Uniqueness

Uniqueness Score: -1.00%

Function 007D267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bb763cd3c534007ebc2b2826dd40b0878583a696ddaa0d18a6d6a4c907ce6b
Instruction ID: 7bca92a71d401f059e1bd49ce2b15b5741c92f75dee4aa7805e5a9cfc24a72cc
Opcode Fuzzy Hash: b6bb763cd3c534007ebc2b2826dd40b0878583a696ddaa0d18a6d6a4c907ce6b
Instruction Fuzzy Hash: A7B1EE21D2AF414DD623A6398831336BA5CBFFB2D5F51DB1BFC6670E22EB2285834141

Uniqueness

Uniqueness Score: -1.00%

Function 00808B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00808B25

Part of subcall function 007C543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008091F8,00000000,?,?,?,?,008093A9,00000000,?), ref: 007C5443
Part of subcall function 007C543A: __aulldiv.LIBCMT ref: 007C5463

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: a280c3e6827662c4547a8dc763e1d818293d5ed18f5f6c4b512c2857c50330ed
Instruction ID: 8ee1822582d9cf895539b70a9a43ea13fc6cc574ce80ec8dd7f32071c7effaea
Opcode Fuzzy Hash: a280c3e6827662c4547a8dc763e1d818293d5ed18f5f6c4b512c2857c50330ed
Instruction Fuzzy Hash: 9621E172635610CBC329CF29D841A52B3E1FBA5321B299E6CD0E6CB2D0CA74B945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 008141FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00814218

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 952ff690f766390cf28c24a6d90bf8ef7f4e8fbadabdc95132fa251e8f7dd252
Instruction ID: 10f9817b49f3cc27e74a16ec5b186543d17aeb732f8d0fdf720978e695b989d1
Opcode Fuzzy Hash: 952ff690f766390cf28c24a6d90bf8ef7f4e8fbadabdc95132fa251e8f7dd252
Instruction Fuzzy Hash: 50E012312401149FC7109F59D444A9AB7ECEF95760F008026F94AD7252DA74A881CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00804EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00804EEC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5d6f96606c6fc60d7fc63965322e8e3f7d3724be43da08d03d592596c498757c
Instruction ID: 0c4e86d7f4778d798bd38ee84b3ff8df0ed69fb16226bae56a78334e27f21904
Opcode Fuzzy Hash: 5d6f96606c6fc60d7fc63965322e8e3f7d3724be43da08d03d592596c498757c
Instruction Fuzzy Hash: 54D09EE91E060979EDE84B25DC5FF771109F3017A5FD4759AB302C90C2D8D56C559031

Uniqueness

Uniqueness Score: -1.00%

Function 007F8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007F88D1), ref: 007F8CB3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 8048ff4a112494e6edd2bdd4f8ff23f5f719dff44525c623361ebdef8607253c
Instruction ID: 3a3d804ed25aefdb6314ae0ea8f20431f8f7498a5dc5fada94c355d2050643e8
Opcode Fuzzy Hash: 8048ff4a112494e6edd2bdd4f8ff23f5f719dff44525c623361ebdef8607253c
Instruction Fuzzy Hash: 6FD05E3226090EABEF018EA4DD01EAE3B69FB04B01F408121FE15D50A1C775D835EB60

Uniqueness

Uniqueness Score: -1.00%

Function 007E2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 007E2242

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: fa2e38dc1a1a9dd0c3c4b95aa5b4a1bc62411d5e45473ee1fa961f69dc8d69bd
Instruction ID: 37d0c27758260d92e1b789bf0526847db4f74ccc12acb82acd018c500b8099de
Opcode Fuzzy Hash: fa2e38dc1a1a9dd0c3c4b95aa5b4a1bc62411d5e45473ee1fa961f69dc8d69bd
Instruction Fuzzy Hash: 61C04CF1801109DBDB15DB90D988DEF77BCBB08304F104065A101F2101D7749B44CA71

Uniqueness

Uniqueness Score: -1.00%

Function 007CA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 007CA36A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b1cd9af12710fe748110f486cdb9e2377aa50c138826c3fb76da5c40c12c7aca
Instruction ID: d2ae1b4052f1af92b7201d9b41c0ce03b6da2a74cca3f3db59e6518ee48f27dd
Opcode Fuzzy Hash: b1cd9af12710fe748110f486cdb9e2377aa50c138826c3fb76da5c40c12c7aca
Instruction Fuzzy Hash: C9A0113000020CEB8A002B82EC08888BFACEA002A0B008030FA0C802228B32A8228A80

Uniqueness

Uniqueness Score: -1.00%

Function 007B8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d6b7a6f68be39bf4af5fc16053aef71ea3c26c491e83989efca16757845f5d
Instruction ID: 8094c57d2d98e9eed1f36f9ee339ebb8afd57d1528cdf4b7df9bcc0beabf221b
Opcode Fuzzy Hash: 63d6b7a6f68be39bf4af5fc16053aef71ea3c26c491e83989efca16757845f5d
Instruction Fuzzy Hash: EC225BB0505619DBCF688B28C4947FD7BA5FF01304F2884AAD6528B291DB3CDD81CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 007C2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 48d6dbe9e15d13a5e17a06f60e403b71aa050633a06a11a38537253fdf792c02
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 1DC1B63220609309DF2D4639D474A3EBBE15AA37B135A0B6DE4B3DB4C6EF18D535D620

Uniqueness

Uniqueness Score: -1.00%

Function 007C283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 0c1b07bdf33485985422e1c654a4068151040fe21aec4e3a263fae364a825cde
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 73C1B63220519309DF2D4639C434A3EBBE15AA37B135A0B6DE4B2DB4D6EF28D535E620

Uniqueness

Uniqueness Score: -1.00%

Function 00817B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00817B70
DeleteObject.GDI32(00000000), ref: 00817B82
DestroyWindow.USER32 ref: 00817B90
GetDesktopWindow.USER32 ref: 00817BAA
GetWindowRect.USER32(00000000), ref: 00817BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00817CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00817D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817D4A
GetClientRect.USER32(00000000,?), ref: 00817D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00817D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817DF8
GlobalFree.KERNEL32(00000000), ref: 00817E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00832CAC,00000000), ref: 00817E2B
GlobalFree.KERNEL32(00000000), ref: 00817E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00817E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00817E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00817EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0081808F

Strings

AutoIt v3, xrefs: 00817D42
, xrefs: 00818015
static, xrefs: 00817D8A, 00817EE1
DISPLAY, xrefs: 00817EF2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 320d2cbfdfddd10b937fdcfde98b3e047375bde06358c849e10624633059f3ce
Instruction ID: 57a5131db293470993b1ff54be116dcf69f29d2cc085cb5d6c114a1a9edf4442
Opcode Fuzzy Hash: 320d2cbfdfddd10b937fdcfde98b3e047375bde06358c849e10624633059f3ce
Instruction Fuzzy Hash: F3025771900119EFDB149FA4CD89EAE7BB9FF49310F108168FA15EB2A1DB74AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 008237F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0082F910), ref: 008238AF
IsWindowVisible.USER32(?), ref: 008238D3

Strings

UNCHECK, xrefs: 00823B0B
ADDSTRING, xrefs: 0082399E
ISENABLED, xrefs: 008238F3
CHECK, xrefs: 00823AF5
GETSELECTED, xrefs: 00823B2B
TABLEFT, xrefs: 0082390F
GETCURRENTCOL, xrefs: 00823BB0
GETLINE, xrefs: 00823C23
GETLINECOUNT, xrefs: 00823B4E
HIDEDROPDOWN, xrefs: 00823988
GETCURRENTLINE, xrefs: 00823B75
GETCURRENTSELECTION, xrefs: 00823A6B
FINDSTRING, xrefs: 008239FE
SETCURRENTSELECTION, xrefs: 00823A3E
CURRENTTAB, xrefs: 00823945
EDITPASTE, xrefs: 00823BE7
SENDCOMMANDID, xrefs: 00823C62
SHOWDROPDOWN, xrefs: 00823968
DELSTRING, xrefs: 008239D1
ISVISIBLE, xrefs: 008238BF
ISCHECKED, xrefs: 00823AC1
TABRIGHT, xrefs: 00823925
SELECTSTRING, xrefs: 00823A8E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: eb3fb64a241dd314edfae160140c6c349608985cce5657dbf6eb84a75725858c
Instruction ID: c1b62a254341a0ef35b0fa10a05aa4b72e1787bab9cb8898747f1e44e55b727a
Opcode Fuzzy Hash: eb3fb64a241dd314edfae160140c6c349608985cce5657dbf6eb84a75725858c
Instruction Fuzzy Hash: AAD1A730204319DBCB14EF60D465B6E77A5FF95354F00446CB9869B3A2DB39EE8ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 0082A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0082A89F
GetSysColorBrush.USER32(0000000F), ref: 0082A8D0
GetSysColor.USER32(0000000F), ref: 0082A8DC
SetBkColor.GDI32(?,000000FF), ref: 0082A8F6
SelectObject.GDI32(?,?), ref: 0082A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0082A930
GetSysColor.USER32(00000010), ref: 0082A938
CreateSolidBrush.GDI32(00000000), ref: 0082A93F
FrameRect.USER32(?,?,00000000), ref: 0082A94E
DeleteObject.GDI32(00000000), ref: 0082A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0082A9A0
FillRect.USER32(?,?,?), ref: 0082A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0082A9FD

Part of subcall function 0082AB60: GetSysColor.USER32(00000012), ref: 0082AB99
Part of subcall function 0082AB60: SetTextColor.GDI32(?,?), ref: 0082AB9D
Part of subcall function 0082AB60: GetSysColorBrush.USER32(0000000F), ref: 0082ABB3
Part of subcall function 0082AB60: GetSysColor.USER32(0000000F), ref: 0082ABBE
Part of subcall function 0082AB60: GetSysColor.USER32(00000011), ref: 0082ABDB
Part of subcall function 0082AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0082ABE9
Part of subcall function 0082AB60: SelectObject.GDI32(?,00000000), ref: 0082ABFA
Part of subcall function 0082AB60: SetBkColor.GDI32(?,00000000), ref: 0082AC03
Part of subcall function 0082AB60: SelectObject.GDI32(?,?), ref: 0082AC10
Part of subcall function 0082AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0082AC2F
Part of subcall function 0082AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0082AC46
Part of subcall function 0082AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0082AC5B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 04595bf1aa82a81f01666ff550877534ca550899dee40ce1b102d2f613f9909a
Instruction ID: 29bc64cf7139745a4fb700c24c4cd8cb9db19ab6e15c64536913a6263c1d9a15
Opcode Fuzzy Hash: 04595bf1aa82a81f01666ff550877534ca550899dee40ce1b102d2f613f9909a
Instruction Fuzzy Hash: 8EA17E71008311AFD7259F64DD08E6B7BB9FF88321F108A39FA62D61A1D735D885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007A2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 007A2CA2
DeleteObject.GDI32(00000000), ref: 007A2CE8
DeleteObject.GDI32(00000000), ref: 007A2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 007A2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 007A2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 007DC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007DC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007DCAED

Part of subcall function 007A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007A2036,?,00000000,?,?,?,?,007A16CB,00000000,?), ref: 007A1B9A

SendMessageW.USER32(?,00001053), ref: 007DCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007DCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007DCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007DCB62

Strings

0, xrefs: 007DC981

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: fd3c86dab0818484e38c3b08e32979f3ce61ba002246892ab72f0c00244950a8
Instruction ID: 4b1a83c25f93ff0d84c66937528514bc760f202ca9b62a37214b2f216b7344e7
Opcode Fuzzy Hash: fd3c86dab0818484e38c3b08e32979f3ce61ba002246892ab72f0c00244950a8
Instruction Fuzzy Hash: 9B129030604202EFDB22CF28C988BA9B7F5BF45310F54867AE955DB662C739EC42DB51

Uniqueness

Uniqueness Score: -1.00%

Function 008177BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008177F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008178B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008178EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00817900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00817946
GetClientRect.USER32(00000000,?), ref: 00817952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00817996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008179A5
GetStockObject.GDI32(00000011), ref: 008179B5
SelectObject.GDI32(00000000,00000000), ref: 008179B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008179C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008179D2
DeleteDC.GDI32(00000000), ref: 008179DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00817A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00817A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00817A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00817A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00817A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00817AAE
GetStockObject.GDI32(00000011), ref: 00817AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00817AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00817ACE

Strings

AutoIt v3, xrefs: 0081793E
static, xrefs: 00817990, 00817AA8
DISPLAY, xrefs: 0081799B
msctls_progress32, xrefs: 00817A4F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ab50cd0715fe1d87489eccc42463cc13a9d223ababa777b07114682b15c44757
Instruction ID: 437b829ac734c12cc78a4ddcb28cc6967f8d4aed7d41e832f42fbda0e7ac3e7c
Opcode Fuzzy Hash: ab50cd0715fe1d87489eccc42463cc13a9d223ababa777b07114682b15c44757
Instruction Fuzzy Hash: 5DA18171A00215BFEB149B64DC4AFAA7BB9FF44710F008228FA14E72E1D7B4AD51CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0080AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0080AF89
GetDriveTypeW.KERNEL32(?,0082FAC0,?,\\.\,0082F910), ref: 0080B066
SetErrorMode.KERNEL32(00000000,0082FAC0,?,\\.\,0082F910), ref: 0080B1C4

Strings

CDROM, xrefs: 0080B09A
1394, xrefs: 0080B146
\\.\, xrefs: 0080AFDB
SATA, xrefs: 0080B177
RAMDisk, xrefs: 0080B090
SAS, xrefs: 0080B170
SSD, xrefs: 0080B0F1
RAID, xrefs: 0080B162
MMC, xrefs: 0080B185
Fixed, xrefs: 0080B0AE
Network, xrefs: 0080B0A4
SSA, xrefs: 0080B14D
Removable, xrefs: 0080B0B8
ATA, xrefs: 0080B13F
Virtual, xrefs: 0080B18C
ATAPI, xrefs: 0080B138
USB, xrefs: 0080B15B
FileBackedVirtual, xrefs: 0080B193
PhysicalDrive, xrefs: 0080B012
Unknown, xrefs: 0080B086, 0080B12A
iSCSI, xrefs: 0080B169
SCSI, xrefs: 0080B131
Fibre, xrefs: 0080B154

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c4c8cb4a6557048c7efb4baad571b75844e93bb25e2221a391290662c5dbeaaa
Instruction ID: ce42794da62541d578a3811ddfa09c41ccae816be0662d9e51c86fcbfc5729e8
Opcode Fuzzy Hash: c4c8cb4a6557048c7efb4baad571b75844e93bb25e2221a391290662c5dbeaaa
Instruction Fuzzy Hash: 1D51C230681709EBCB88DB10CDA2C7D77B0FB5A746B208215E92AE73D1DB399D45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 007A6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007A6A91
__wcsnicmp.LIBCMT ref: 007A6AA9
__wcsnicmp.LIBCMT ref: 007A6AC1
__wcsnicmp.LIBCMT ref: 007A6AD9
__wcsnicmp.LIBCMT ref: 007A6AF1
__wcsnicmp.LIBCMT ref: 007A6B09
__wcsnicmp.LIBCMT ref: 007A6B21
__wcsnicmp.LIBCMT ref: 007A6B35
__wcsnicmp.LIBCMT ref: 007A6B76
__wcsnicmp.LIBCMT ref: 007A6B8A
__wcsnicmp.LIBCMT ref: 007A6B9E
__wcsnicmp.LIBCMT ref: 007A6BB2

Strings

#include, xrefs: 007A6B03
Cannot parse #include, xrefs: 007DE819
Unterminated group of comments, xrefs: 007DE82C
#cs, xrefs: 007A6B2F, 007A6B84
#pragma compile, xrefs: 007A6A8B
#comments-start, xrefs: 007A6B1B, 007A6B70
Bad directive syntax error, xrefs: 007DE743
#comments-end, xrefs: 007A6B98
#notrayicon, xrefs: 007A6AA3
#ce, xrefs: 007A6BAC
#requireadmin, xrefs: 007A6ABB
#include-once, xrefs: 007A6AEB
#OnAutoItStartRegister, xrefs: 007A6AD3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 9640c25b80b41fc3e872bb18fb1debb52dfb55815dd1e82332b90f667ff38c15
Instruction ID: 989b69172d431ad41114a19447d44f7fe6a7c977cfd978cea5df6715551c3637
Opcode Fuzzy Hash: 9640c25b80b41fc3e872bb18fb1debb52dfb55815dd1e82332b90f667ff38c15
Instruction Fuzzy Hash: 4D812EB0640215FACB15BB20CC87FAF7768EF52700F148129FD45EE282EB6CDA51C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 0082AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0082AB99
SetTextColor.GDI32(?,?), ref: 0082AB9D
GetSysColorBrush.USER32(0000000F), ref: 0082ABB3
GetSysColor.USER32(0000000F), ref: 0082ABBE
CreateSolidBrush.GDI32(?), ref: 0082ABC3
GetSysColor.USER32(00000011), ref: 0082ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0082ABE9
SelectObject.GDI32(?,00000000), ref: 0082ABFA
SetBkColor.GDI32(?,00000000), ref: 0082AC03
SelectObject.GDI32(?,?), ref: 0082AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0082AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0082AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0082AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0082ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0082ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0082ACEC
DrawFocusRect.USER32(?,?), ref: 0082ACF7
GetSysColor.USER32(00000011), ref: 0082AD05
SetTextColor.GDI32(?,00000000), ref: 0082AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0082AD21
SelectObject.GDI32(?,0082A869), ref: 0082AD38
DeleteObject.GDI32(?), ref: 0082AD43
SelectObject.GDI32(?,?), ref: 0082AD49
DeleteObject.GDI32(?), ref: 0082AD4E
SetTextColor.GDI32(?,?), ref: 0082AD54
SetBkColor.GDI32(?,?), ref: 0082AD5E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c11ece08f4bb6b6dd5668e86ac698e1f8a48609eac0aa543242263ed88938f9f
Instruction ID: d165343c1575574f2ac8dd1994f1c1da5d3dbec47354f344c83300e37e0c8975
Opcode Fuzzy Hash: c11ece08f4bb6b6dd5668e86ac698e1f8a48609eac0aa543242263ed88938f9f
Instruction Fuzzy Hash: C9613C71900218EFDB259FA4DC48EAE7B79FF08720F108126FA15AB2A2D7759941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00828C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00828D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00828D45
CharNextW.USER32(0000014E), ref: 00828D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00828DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00828DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00828DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00828DF9
SetWindowTextW.USER32(?,0000014E), ref: 00828E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00828E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00828E8C
_memset.LIBCMT ref: 00828EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00828EFA
_memset.LIBCMT ref: 00828F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00828F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00828FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00829088
InvalidateRect.USER32(?,00000000,00000001), ref: 008290AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008290F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00829121
DrawMenuBar.USER32(?), ref: 00829130
SetWindowTextW.USER32(?,0000014E), ref: 00829158

Strings

0, xrefs: 008290C2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ae52c2fef5838316e3196984a44cedfab815fbf29cc42264b666962824285ad0
Instruction ID: bfa1302a96d0be40edff6df37d69f6252032be19302632db4565b2af1576e65d
Opcode Fuzzy Hash: ae52c2fef5838316e3196984a44cedfab815fbf29cc42264b666962824285ad0
Instruction Fuzzy Hash: A3E19170901229EBDF209F51DC88EEE7BB9FF05714F00816AF915EA291DB748A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00824B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00824C51
GetDesktopWindow.USER32 ref: 00824C66
GetWindowRect.USER32(00000000), ref: 00824C6D
GetWindowLongW.USER32(?,000000F0), ref: 00824CCF
DestroyWindow.USER32(?), ref: 00824CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00824D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00824D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00824D68
SendMessageW.USER32(?,00000421,?,?), ref: 00824D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00824D90
IsWindowVisible.USER32(?), ref: 00824DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00824DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00824DDF
GetWindowRect.USER32(?,?), ref: 00824DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00824E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00824E37
CopyRect.USER32(?,?), ref: 00824E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00824EB9

Strings

(, xrefs: 00824E2A
tooltips_class32, xrefs: 00824D1D
0, xrefs: 00824BFC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9b441015f0715b0ed83e0de570742c7a2c837f6e307e7390dae15081313363a6
Instruction ID: 071268e0c1f0ac05f4a7ef91f34e54f334c8e43bf077b6e870cfd97d848e438f
Opcode Fuzzy Hash: 9b441015f0715b0ed83e0de570742c7a2c837f6e307e7390dae15081313363a6
Instruction Fuzzy Hash: 52B19971604310AFDB14DF68D848B6ABBE4FF88310F008A2CF5999B2A1D770EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008046D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 008046E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0080470E
_wcscpy.LIBCMT ref: 0080473C
_wcscmp.LIBCMT ref: 00804747
_wcscat.LIBCMT ref: 0080475D
_wcsstr.LIBCMT ref: 00804768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00804784
_wcscat.LIBCMT ref: 008047CD
_wcscat.LIBCMT ref: 008047D4
_wcsncpy.LIBCMT ref: 008047FF

Strings

DefaultLangCodepage, xrefs: 008047E7
\VarFileInfo\Translation, xrefs: 0080477C
04090000, xrefs: 008047BA
%u.%u.%u.%u, xrefs: 00804862
StringFileInfo\, xrefs: 00804757

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 7806d165482bb3d924daae8a917ab24469b2feb2ddf10b26fad3c82101049094
Instruction ID: bc8ae678a426f3d8025af29f7cb345303b61258dc6e79b82e2949a6f369ac5bc
Opcode Fuzzy Hash: 7806d165482bb3d924daae8a917ab24469b2feb2ddf10b26fad3c82101049094
Instruction Fuzzy Hash: 64411471A40218BAEB14AA609C4BFBF77BCFF02710F00417DFE05E6183EB28994196A5

Uniqueness

Uniqueness Score: -1.00%

Function 007A27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007A28BC
GetSystemMetrics.USER32(00000007), ref: 007A28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007A28EF
GetSystemMetrics.USER32(00000008), ref: 007A28F7
GetSystemMetrics.USER32(00000004), ref: 007A291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007A2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007A2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007A297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007A2990
GetClientRect.USER32(00000000,000000FF), ref: 007A29AE
GetStockObject.GDI32(00000011), ref: 007A29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007A29D5

Part of subcall function 007A2344: GetCursorPos.USER32(?), ref: 007A2357
Part of subcall function 007A2344: ScreenToClient.USER32(008667B0,?), ref: 007A2374
Part of subcall function 007A2344: GetAsyncKeyState.USER32(00000001), ref: 007A2399
Part of subcall function 007A2344: GetAsyncKeyState.USER32(00000002), ref: 007A23A7

SetTimer.USER32(00000000,00000000,00000028,007A1256), ref: 007A29FC

Strings

AutoIt v3 GUI, xrefs: 007A2974

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: dd7de0cac1f3d1592d753e8c3e1f3e355a03f88668f783ee3bf11731ba17606e
Instruction ID: 0c327c119d1741fab16850f3afd0561ae4c258b6e5e3dafb3ed6446435262898
Opcode Fuzzy Hash: dd7de0cac1f3d1592d753e8c3e1f3e355a03f88668f783ee3bf11731ba17606e
Instruction Fuzzy Hash: 12B19E71A0020AEFDB14DFA8DD45BAE7BB4FB48310F118229FA15E7291DB78D852CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00824069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008240F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008241B6

Strings

SELECT, xrefs: 00824250
SELECTCLEAR, xrefs: 00824235
GETSELECTEDCOUNT, xrefs: 00824199
GETSUBITEMCOUNT, xrefs: 00824141
GETSELECTED, xrefs: 008242E4
SELECTALL, xrefs: 0082421D
VIEWCHANGE, xrefs: 00824375
GETTEXT, xrefs: 0082415F
DESELECT, xrefs: 008242A4
ISSELECTED, xrefs: 008241C1
FINDITEM, xrefs: 00824329
GETITEMCOUNT, xrefs: 00824128
SELECTINVERT, xrefs: 00824286

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: cfd81ad879172ff4fc039d757948775fc62d4754281416b8b6d51e6522726d00
Instruction ID: 459719554e5949f1cd6ea264f0f2ab451fdd63c297fe8f5ee3bf2718b181f622
Opcode Fuzzy Hash: cfd81ad879172ff4fc039d757948775fc62d4754281416b8b6d51e6522726d00
Instruction Fuzzy Hash: 5EA1CD30214315DBCB14EF20D849E6AB3A5FF95314F10896CB996DB392EB34ED49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008152F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00815309
LoadCursorW.USER32(00000000,00007F8A), ref: 00815314
LoadCursorW.USER32(00000000,00007F00), ref: 0081531F
LoadCursorW.USER32(00000000,00007F03), ref: 0081532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00815335
LoadCursorW.USER32(00000000,00007F01), ref: 00815340
LoadCursorW.USER32(00000000,00007F81), ref: 0081534B
LoadCursorW.USER32(00000000,00007F88), ref: 00815356
LoadCursorW.USER32(00000000,00007F80), ref: 00815361
LoadCursorW.USER32(00000000,00007F86), ref: 0081536C
LoadCursorW.USER32(00000000,00007F83), ref: 00815377
LoadCursorW.USER32(00000000,00007F85), ref: 00815382
LoadCursorW.USER32(00000000,00007F82), ref: 0081538D
LoadCursorW.USER32(00000000,00007F84), ref: 00815398
LoadCursorW.USER32(00000000,00007F04), ref: 008153A3
LoadCursorW.USER32(00000000,00007F02), ref: 008153AE
GetCursorInfo.USER32(?), ref: 008153BE
GetLastError.KERNEL32(00000001,00000000), ref: 008153E9

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 158397cb47b3a6126bb5f92648fea04b26881a935a33275aa75cec203ce5be2b
Instruction ID: a2dc680d8a15880f37cf9deb79b68d842bf407c0d20a57682a1283da168c32fc
Opcode Fuzzy Hash: 158397cb47b3a6126bb5f92648fea04b26881a935a33275aa75cec203ce5be2b
Instruction Fuzzy Hash: 3B418470E04319AADB109FB68C498AEFFFCFF81B10B10452FE519E7291DAB89441CE55

Uniqueness

Uniqueness Score: -1.00%

Function 007FAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007FAAA5
__swprintf.LIBCMT ref: 007FAB46
_wcscmp.LIBCMT ref: 007FAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007FABAE
_wcscmp.LIBCMT ref: 007FABEA
GetClassNameW.USER32(?,?,00000400), ref: 007FAC21
GetDlgCtrlID.USER32(?), ref: 007FAC73
GetWindowRect.USER32(?,?), ref: 007FACA9
GetParent.USER32(?), ref: 007FACC7
ScreenToClient.USER32(00000000), ref: 007FACCE
GetClassNameW.USER32(?,?,00000100), ref: 007FAD48
_wcscmp.LIBCMT ref: 007FAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 007FAD82
_wcscmp.LIBCMT ref: 007FAD96

Part of subcall function 007C386C: _iswctype.LIBCMT ref: 007C3874

Strings

%s%u, xrefs: 007FAB40

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6ac40543695a68221577d5dc68d079013482a7f6143e44b6434a27e1763ef858
Instruction ID: ecfc7e9771584bdd0911c05bae99c19f085ffb3b6305c5eb82f0430b27c87b74
Opcode Fuzzy Hash: 6ac40543695a68221577d5dc68d079013482a7f6143e44b6434a27e1763ef858
Instruction Fuzzy Hash: 81A19FB120460ABBD714DF64C884FBAB7E8FF44315F008629EA9DD2651D738E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007FB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 007FB3DB
_wcscmp.LIBCMT ref: 007FB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 007FB414
CharUpperBuffW.USER32(?,00000000), ref: 007FB431
_wcscmp.LIBCMT ref: 007FB44F
_wcsstr.LIBCMT ref: 007FB460
GetClassNameW.USER32(00000018,?,00000400), ref: 007FB498
_wcscmp.LIBCMT ref: 007FB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 007FB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 007FB518
_wcscmp.LIBCMT ref: 007FB528
GetClassNameW.USER32(00000010,?,00000400), ref: 007FB550
GetWindowRect.USER32(00000004,?), ref: 007FB5B9

Strings

@, xrefs: 007FB3BC
ThumbnailClass, xrefs: 007FB4A3, 007FB523

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 4461ab56a96ab93b5a54894102e52c15ce8b227ebe761a9873e1c513ccf57d13
Instruction ID: f0266c5f3a4b83ff9aa04064fc169e426f65e5ad64816f6ac3fe0ac228e6c212
Opcode Fuzzy Hash: 4461ab56a96ab93b5a54894102e52c15ce8b227ebe761a9873e1c513ccf57d13
Instruction Fuzzy Hash: 8081BE710082499FDB14DF10C985FBA7BE8FF44314F088569FE859A292DB38DD4ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 007FB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007FB23F

Strings

[ALL, xrefs: 007FB2E5
HANDLE=, xrefs: 007FB238
[HANDLE:, xrefs: 007FB24B
[CLASS:, xrefs: 007FB28F
ACTIVE, xrefs: 007FB21A
[REGEXPTITLE:, xrefs: 007FB267
[ACTIVE, xrefs: 007FB22C
REGEXP=, xrefs: 007FB254
ALL, xrefs: 007FB2D3
LAST, xrefs: 007FB204
[LAST, xrefs: 007FB2EC
CLASSNAME=, xrefs: 007FB27C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 86a2ec7dc2dd8cffb9a138f4f371cbf0e095a05616f525c3a65a85236a0171d7
Instruction ID: c2861026d0dd73211becbb69e8eb43a0c21fa6e794de3992f2aa51c3d8c95064
Opcode Fuzzy Hash: 86a2ec7dc2dd8cffb9a138f4f371cbf0e095a05616f525c3a65a85236a0171d7
Instruction Fuzzy Hash: E531E131A44209E6DB14FA60CD47EFE77A8FF24751F604229F9A1B12D2EF2D6E08C591

Uniqueness

Uniqueness Score: -1.00%

Function 007FC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 007FC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007FC4E6
SetWindowTextW.USER32(?,?), ref: 007FC4FD
GetDlgItem.USER32(?,000003EA), ref: 007FC512
SetWindowTextW.USER32(00000000,?), ref: 007FC518
GetDlgItem.USER32(?,000003E9), ref: 007FC528
SetWindowTextW.USER32(00000000,?), ref: 007FC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007FC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007FC569
GetWindowRect.USER32(?,?), ref: 007FC572
SetWindowTextW.USER32(?,?), ref: 007FC5DD
GetDesktopWindow.USER32 ref: 007FC5E3
GetWindowRect.USER32(00000000), ref: 007FC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 007FC636
GetClientRect.USER32(?,?), ref: 007FC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 007FC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007FC693

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 2eac11f850cd04f38327b4519f2713b8c5a75840f64e16602f1ba6e4f59f5d0d
Instruction ID: 934c16a243b7756c31aeadf2dab4e2ccdb10c2b82c081988b9fa0eba02979c49
Opcode Fuzzy Hash: 2eac11f850cd04f38327b4519f2713b8c5a75840f64e16602f1ba6e4f59f5d0d
Instruction Fuzzy Hash: AA516C7090070DEFDB219FA8DE89B7EBBB5FF04704F104928E686A26A1C774A915CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0082A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0082A4C8
DestroyWindow.USER32(?,?), ref: 0082A542

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0082A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0082A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0082A5F1
DestroyWindow.USER32(00000000), ref: 0082A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007A0000,00000000), ref: 0082A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0082A663
GetDesktopWindow.USER32 ref: 0082A67C
GetWindowRect.USER32(00000000), ref: 0082A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0082A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0082A6B3

Part of subcall function 007A25DB: GetWindowLongW.USER32(?,000000EB), ref: 007A25EC

Strings

0, xrefs: 0082A4DE
tooltips_class32, xrefs: 0082A5B5, 0082A643

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: b72adc76bf0f202035cd3683d08390559917775034407ba513592e0c1f3bdef2
Instruction ID: 3c70067686a61a7624af10f1497dac3d552a4bb2985ec2a4e83c850eb1e11bce
Opcode Fuzzy Hash: b72adc76bf0f202035cd3683d08390559917775034407ba513592e0c1f3bdef2
Instruction Fuzzy Hash: CE71B971100245AFD724CF28DC49F667BEAFBA8300F08492CF985D72A1D7B5E986CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0082C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

DragQueryPoint.SHELL32(?,?), ref: 0082C917

Part of subcall function 0082ADF1: ClientToScreen.USER32(?,?), ref: 0082AE1A
Part of subcall function 0082ADF1: GetWindowRect.USER32(?,?), ref: 0082AE90
Part of subcall function 0082ADF1: PtInRect.USER32(?,?,0082C304), ref: 0082AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0082C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0082C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0082C9AE
_wcscat.LIBCMT ref: 0082C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0082C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0082CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0082CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0082CA47
DragFinish.SHELL32(?), ref: 0082CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0082CB41

Strings

@GUI_DRAGFILE, xrefs: 0082CAF0
@GUI_DRAGID, xrefs: 0082CAB9
@GUI_DROPID, xrefs: 0082CA6E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 3bf103d06c3f38ea70db799cbedab54c33e928b0a8f164ad9f5071cd87ecf404
Instruction ID: a75e871ce29441c3b70f32ea98faf770610460d749a83018dd40a4bbea65f077
Opcode Fuzzy Hash: 3bf103d06c3f38ea70db799cbedab54c33e928b0a8f164ad9f5071cd87ecf404
Instruction Fuzzy Hash: 43613C71108310AFC711EF64DC89D9FBBF8FB99710F004A2DF691961A1EB749A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00824619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008246AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008246F6

Strings

SELECT, xrefs: 008248A7
GETTEXT, xrefs: 00824849
COLLAPSE, xrefs: 0082473C
UNCHECK, xrefs: 008248D2
EXPAND, xrefs: 008247A8
GETTOTALCOUNT, xrefs: 008246DD
CHECK, xrefs: 00824716
GETITEMCOUNT, xrefs: 008247D8
GETSELECTED, xrefs: 00824806
ISCHECKED, xrefs: 00824879
EXISTS, xrefs: 0082475F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 05981303be004e092b053a3d89a38ad5d4dfb9d14a17fefb27c82390ff824072
Instruction ID: 09c13d2e3ef93065875aefcba773bbaa527a309678525a2c58a3e6ddc7ec48d4
Opcode Fuzzy Hash: 05981303be004e092b053a3d89a38ad5d4dfb9d14a17fefb27c82390ff824072
Instruction Fuzzy Hash: 3991BE34204315DFCB14EF20C455A6ABBA1FF95314F00856CF9969B3A2DB38ED9ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0082BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0082BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00829431), ref: 0082BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0082BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0082BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0082BC7D
FreeLibrary.KERNEL32(?), ref: 0082BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0082BC99
DestroyIcon.USER32(?,?,?,?,?,00829431), ref: 0082BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0082BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0082BCD1

Part of subcall function 007C313D: __wcsicmp_l.LIBCMT ref: 007C31C6

Strings

.dll, xrefs: 0082BB27
.exe, xrefs: 0082BB04
.icl, xrefs: 0082BAE4

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 520f1e0740b13b7eb395684cca5b3d1268787c38887d12e55bd25fb703970c10
Instruction ID: aed34c6f9fdfc8faef93348afabf29f53f2e97e0c98c708e4822c23f0cd02e5b
Opcode Fuzzy Hash: 520f1e0740b13b7eb395684cca5b3d1268787c38887d12e55bd25fb703970c10
Instruction Fuzzy Hash: 5861DF71500629FEEB24DF64DC45FBA77B8FB08720F108229F915E61D1DB78A991CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0080A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

CharLowerBuffW.USER32(?,?), ref: 0080A636
GetDriveTypeW.KERNEL32 ref: 0080A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0080A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0080A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0080A730

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

Strings

open , xrefs: 0080A692
close, xrefs: 0080A63C
type cdaudio alias cd wait, xrefs: 0080A6AE
wait, xrefs: 0080A6ED
close cd wait, xrefs: 0080A71B
closed, xrefs: 0080A64A, 0080A653
set cd door , xrefs: 0080A6D1
open, xrefs: 0080A65D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: b66e8202385fb62c5845b7bf26144d455f077d8c39a55ef9953b36abe881af16
Instruction ID: 7afe038145b22839a6aabb012f7dcaff2364758103aa9bdfd9a49995fd448c5f
Opcode Fuzzy Hash: b66e8202385fb62c5845b7bf26144d455f077d8c39a55ef9953b36abe881af16
Instruction Fuzzy Hash: 35511871104305DFC704EF20C88596AB7E8FF95718F048A6DF896972A1DB35AE0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0080A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0080A47A
__swprintf.LIBCMT ref: 0080A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0080A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0080A4FE
_memset.LIBCMT ref: 0080A51D
_wcsncpy.LIBCMT ref: 0080A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0080A58E
CloseHandle.KERNEL32(00000000), ref: 0080A599
RemoveDirectoryW.KERNEL32(?), ref: 0080A5A2
CloseHandle.KERNEL32(00000000), ref: 0080A5AC

Strings

\, xrefs: 0080A4B2
:, xrefs: 0080A4BD
\??\%s, xrefs: 0080A496

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: de2a61498225f88a71e1e8e06b95f8ad545d226ac1bf0d324ee9fb9f1e81352e
Instruction ID: 2cef97d4ce50010859909ee5a9e4bd4cc3e4f23979490a245c3e2f43399bf499
Opcode Fuzzy Hash: de2a61498225f88a71e1e8e06b95f8ad545d226ac1bf0d324ee9fb9f1e81352e
Instruction Fuzzy Hash: C8318EB6500209ABDB21DFA0DC49FEB73BCFF89701F1041BAFA08D21A1E67496458B25

Uniqueness

Uniqueness Score: -1.00%

Function 0080DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0080DC7B
_wcscat.LIBCMT ref: 0080DC93
_wcscat.LIBCMT ref: 0080DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0080DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0080DCCE
GetFileAttributesW.KERNEL32(?), ref: 0080DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0080DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0080DD12

Strings

*.*, xrefs: 0080DD51

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 4a5128127e7458aaf88a15327ce78d6aa33c7d1cdf5ed99f6044045df31a143b
Instruction ID: 8aedac069a80fbdad2d1b931df35242c588cbc0746c5e72746ca8775aee55b2b
Opcode Fuzzy Hash: 4a5128127e7458aaf88a15327ce78d6aa33c7d1cdf5ed99f6044045df31a143b
Instruction Fuzzy Hash: 9D81B0715043449FCBA0DFA4CC559AAB7E8FF89314F15882EF889C7291E734D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0082C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0082C4EC
GetFocus.USER32 ref: 0082C4FC
GetDlgCtrlID.USER32(00000000), ref: 0082C507
_memset.LIBCMT ref: 0082C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0082C65D
GetMenuItemCount.USER32(?), ref: 0082C67D
GetMenuItemID.USER32(?,00000000), ref: 0082C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0082C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0082C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0082C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0082C779

Strings

0, xrefs: 0082C62A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: eb2b42461c12f61dfa4f5932513abf4986d3d133973a6ba6311b3a4027ea4fd7
Instruction ID: f054d84c72c02389f0045b52b71242276e455c004daed3f08a9ed73cc4e5fd41
Opcode Fuzzy Hash: eb2b42461c12f61dfa4f5932513abf4986d3d133973a6ba6311b3a4027ea4fd7
Instruction Fuzzy Hash: 0A816A70208321AFD720CF28E984A7EBBE9FB98354F00452DF995D3291D771D985CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007F83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007F8766
Part of subcall function 007F874A: GetLastError.KERNEL32(?,007F822A,?,?,?), ref: 007F8770
Part of subcall function 007F874A: GetProcessHeap.KERNEL32(00000008,?,?,007F822A,?,?,?), ref: 007F877F
Part of subcall function 007F874A: HeapAlloc.KERNEL32(00000000,?,007F822A,?,?,?), ref: 007F8786
Part of subcall function 007F874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007F879D

Part of subcall function 007F87E7: GetProcessHeap.KERNEL32(00000008,007F8240,00000000,00000000,?,007F8240,?), ref: 007F87F3
Part of subcall function 007F87E7: HeapAlloc.KERNEL32(00000000,?,007F8240,?), ref: 007F87FA
Part of subcall function 007F87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007F8240,?), ref: 007F880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007F8458
_memset.LIBCMT ref: 007F846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007F848C
GetLengthSid.ADVAPI32(?), ref: 007F849D
GetAce.ADVAPI32(?,00000000,?), ref: 007F84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007F84F6
GetLengthSid.ADVAPI32(?), ref: 007F8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007F8522
HeapAlloc.KERNEL32(00000000), ref: 007F8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 007F854A
CopySid.ADVAPI32(00000000), ref: 007F8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007F8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007F85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007F85BC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: a03ca1f41767da2281b1072a3ffab3e2c8061d1c547416867224951479e07cc1
Instruction ID: eabf281ba45657b44836acc21a96f1ae0bac2367c3926993c86574aa91ccc725
Opcode Fuzzy Hash: a03ca1f41767da2281b1072a3ffab3e2c8061d1c547416867224951479e07cc1
Instruction Fuzzy Hash: 6D613871A00209EBDF10DFA4DC45EBEBBB9FF05300F148169EA15AB292DB359A15CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0081762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008176A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008176AE
CreateCompatibleDC.GDI32(?), ref: 008176BA
SelectObject.GDI32(00000000,?), ref: 008176C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0081771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00817757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0081777B
SelectObject.GDI32(00000006,?), ref: 00817783
DeleteObject.GDI32(?), ref: 0081778C
DeleteDC.GDI32(00000006), ref: 00817793
ReleaseDC.USER32(00000000,?), ref: 0081779E

Strings

(, xrefs: 00817723

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 73a00656855376a5c71890fd2353b52ffa557204b7c1b5102a259c9cbf25324a
Instruction ID: d71a554c2f769ad954db7d34b551738690278b1113ccce3bbdb6eaf04d5c675f
Opcode Fuzzy Hash: 73a00656855376a5c71890fd2353b52ffa557204b7c1b5102a259c9cbf25324a
Instruction Fuzzy Hash: 6F514875904609EFCB25CFA8CC84EAEBBB9FF48710F14852DFA4A97251D731A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0080A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0082FB78), ref: 0080A0FC

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0080A11E
__swprintf.LIBCMT ref: 0080A177
__swprintf.LIBCMT ref: 0080A190
_wprintf.LIBCMT ref: 0080A246
_wprintf.LIBCMT ref: 0080A264

Strings

Error: , xrefs: 0080A20E
"%s" (%d) : ==> %s:, xrefs: 0080A25F
Line %d (File "%s"):, xrefs: 0080A171, 0080A18A
"%s" (%d) : ==> %s:%s%s, xrefs: 0080A241
^ ERROR, xrefs: 0080A1E8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 23f3ccf26d405704374b7df7ec4e3c98e7405ecb4710bf09998b3412f7e989cc
Instruction ID: 92f0f596fc245c063869508557668897f711e76486d44c2245fae567c8caa7c7
Opcode Fuzzy Hash: 23f3ccf26d405704374b7df7ec4e3c98e7405ecb4710bf09998b3412f7e989cc
Instruction Fuzzy Hash: 80518C31904209EACF19EBA0CD8AEEEB779FF45300F104265F515B21A1EB392F59CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007A6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 007C0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,007A6C6C,?,00008000), ref: 007C0BB7

Part of subcall function 007A48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007A48A1,?,?,007A37C0,?), ref: 007A48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007A6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 007A6E5A

Part of subcall function 007A59CD: _wcscpy.LIBCMT ref: 007A5A05

Part of subcall function 007C387D: _iswctype.LIBCMT ref: 007C3885

Strings

Bad directive syntax error, xrefs: 007DEBC6
Error opening the file, xrefs: 007DE866, 007DE8E1
AU3!, xrefs: 007A6CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 007DE84A
Unterminated string, xrefs: 007DEC0D
EA06, xrefs: 007DE87B
>>>AUTOIT SCRIPT<<<, xrefs: 007DE8BF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 4f59012ab27b4f51b9d4b46a54d5030b116643569f9f19aa0c60c26fa0476034
Instruction ID: 4108d932a68a565e8ec2fa278ef09168bc477e2aafdd230b594aa635e5749dee
Opcode Fuzzy Hash: 4f59012ab27b4f51b9d4b46a54d5030b116643569f9f19aa0c60c26fa0476034
Instruction Fuzzy Hash: 50028B71108341DFC725EF24C885AAFBBE5BFD6314F044A1EF486972A1DB38A949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007A45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A45F9
GetMenuItemCount.USER32(00866890), ref: 007DD7CD
GetMenuItemCount.USER32(00866890), ref: 007DD87D
GetCursorPos.USER32(?), ref: 007DD8C1
SetForegroundWindow.USER32(00000000), ref: 007DD8CA
TrackPopupMenuEx.USER32(00866890,00000000,?,00000000,00000000,00000000), ref: 007DD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007DD8E9

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: ab5d2bb6bbcc644aa78d737b9b210ae814b5d54fdd38e606e3b428b5c6378b72
Instruction ID: ef2ed1f1431ff361426eca3710d515d1c33353cc621c34197ead0ee9c2977b85
Opcode Fuzzy Hash: ab5d2bb6bbcc644aa78d737b9b210ae814b5d54fdd38e606e3b428b5c6378b72
Instruction Fuzzy Hash: 9671F670600215BBEB318F24DC49FAABF75FF45364F204226F624A62E1C7BA6C50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 008210A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00820038,?,?), ref: 008210BC

Strings

HKEY_USERS, xrefs: 008211BD
HKEY_CURRENT_CONFIG, xrefs: 00821179
HKEY_LOCAL_MACHINE, xrefs: 00821125
HKLM, xrefs: 0082113A
HKU, xrefs: 008211CE
HKEY_CURRENT_USER, xrefs: 0082119B
HKEY_CLASSES_ROOT, xrefs: 0082114F
HKCC, xrefs: 0082118A
HKCR, xrefs: 00821164
HKCU, xrefs: 008211AC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 8f6b12a1a9ec1f080b455dd79f7e4ec16b25789b1f4c57a8822e81efc99dfce9
Instruction ID: 3af32978b56c9f5c8cdc6b89c0748cae5df0e1d75955f58b54f19f80a4c41f5e
Opcode Fuzzy Hash: 8f6b12a1a9ec1f080b455dd79f7e4ec16b25789b1f4c57a8822e81efc99dfce9
Instruction Fuzzy Hash: A4412E3025025ECBCF10EEA0E899AEA3725FF71341F604559FD9197292DB34AE5AC790

Uniqueness

Uniqueness Score: -1.00%

Function 00805569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

Part of subcall function 007A7A84: _memmove.LIBCMT ref: 007A7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008055D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008055E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008055F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0080560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0080561C

Strings

open , xrefs: 00805581
status PlayMe mode, xrefs: 008055CD
play PlayMe wait, xrefs: 00805606
close PlayMe, xrefs: 008055E3, 00805610
play PlayMe, xrefs: 00805617
alias PlayMe, xrefs: 008055AB

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b16d5ffcf816f6754904a9751e66fbf0531023b2d9909b9d1715ef8143a25719
Instruction ID: ece7e40fe6aa1235ad948d73b4a7e562d37ee8a26db7e63051f94aede66269ce
Opcode Fuzzy Hash: b16d5ffcf816f6754904a9751e66fbf0531023b2d9909b9d1715ef8143a25719
Instruction Fuzzy Hash: 4111B620690159B9D728A6A1CC8ADFF7B7CFFD2B05F440669B821D21D1DE690D09C9B1

Uniqueness

Uniqueness Score: -1.00%

Function 008048F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0080490E
gethostname.WSOCK32(?,00000100), ref: 00804928
gethostbyname.WSOCK32(?), ref: 00804935
_wcscpy.LIBCMT ref: 0080495D
_memmove.LIBCMT ref: 00804970
inet_ntoa.WSOCK32(?), ref: 0080497B
_strcat.LIBCMT ref: 00804989
_wcscpy.LIBCMT ref: 008049A0
WSACleanup.WSOCK32 ref: 008049AE
_wcscpy.LIBCMT ref: 008049BC

Strings

0.0.0.0, xrefs: 00804957

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 9e43363909e8cba5076bb4de310d66d87e9555d1bb340a3a0a1983e29837582d
Instruction ID: 538215855afc398aeb021ca72411fb2dbfb5eb248b53db3d9dc815e950279aab
Opcode Fuzzy Hash: 9e43363909e8cba5076bb4de310d66d87e9555d1bb340a3a0a1983e29837582d
Instruction Fuzzy Hash: 8911D571904118EBCB24AB24AC4AFDB7BBCFB41710F04417DF604D61A2EF749A82DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00805217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0080521C

Part of subcall function 007C0719: timeGetTime.WINMM(?,75A4B400,007B0FF9), ref: 007C071D

Sleep.KERNEL32(0000000A), ref: 00805248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0080526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0080528E
SetActiveWindow.USER32 ref: 008052AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008052BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 008052DA
Sleep.KERNEL32(000000FA), ref: 008052E5
IsWindow.USER32 ref: 008052F1
EndDialog.USER32(00000000), ref: 00805302

Strings

BUTTON, xrefs: 00805280

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3284d32fd63db6ffc87f9314683306e7f68162740e348fbb8bb26c20f6bdaa71
Instruction ID: 98528a492bbfa0624015a0063072aba0fe7567efeb026751346c63dec39b3b9c
Opcode Fuzzy Hash: 3284d32fd63db6ffc87f9314683306e7f68162740e348fbb8bb26c20f6bdaa71
Instruction Fuzzy Hash: ED219F70204704AFE7515B60ED9DE263B69FB5534EF066478F602C22F2DBA19C11CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0080D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

CoInitialize.OLE32(00000000), ref: 0080D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0080D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0080D8FC
CoCreateInstance.OLE32(00832D7C,00000000,00000001,0085A89C,?), ref: 0080D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0080D9B7
CoTaskMemFree.OLE32(?,?), ref: 0080DA0F
_memset.LIBCMT ref: 0080DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0080DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0080DAAB
CoTaskMemFree.OLE32(00000000), ref: 0080DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0080DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0080DAEB

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 5bd897aa8ac6355378f57405af380aaa464480766cab7f56072e028cf996cbb6
Instruction ID: f62ad848680ccd59f7b8544544ddba45363576ad412797154e25e722a017c7f5
Opcode Fuzzy Hash: 5bd897aa8ac6355378f57405af380aaa464480766cab7f56072e028cf996cbb6
Instruction Fuzzy Hash: 8AB1F875A00219EFCB14DFA4C888DAEBBB9FF89304B048469F905EB261DB30ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0080052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008005A7
SetKeyboardState.USER32(?), ref: 00800612
GetAsyncKeyState.USER32(000000A0), ref: 00800632
GetKeyState.USER32(000000A0), ref: 00800649
GetAsyncKeyState.USER32(000000A1), ref: 00800678
GetKeyState.USER32(000000A1), ref: 00800689
GetAsyncKeyState.USER32(00000011), ref: 008006B5
GetKeyState.USER32(00000011), ref: 008006C3
GetAsyncKeyState.USER32(00000012), ref: 008006EC
GetKeyState.USER32(00000012), ref: 008006FA
GetAsyncKeyState.USER32(0000005B), ref: 00800723
GetKeyState.USER32(0000005B), ref: 00800731

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 380f407fdd7cdec91ca7bae7668927fcb8f5a37dc4b747b90667d217695b746b
Instruction ID: 0e70706766fa1f304750d52a564534cfa45b53479ece8426e3aab9596340b5f6
Opcode Fuzzy Hash: 380f407fdd7cdec91ca7bae7668927fcb8f5a37dc4b747b90667d217695b746b
Instruction Fuzzy Hash: 1151D730A0478829FF75DBA48C557AABFB5FF11380F088599D5C2DA1C2DA649B4CCF52

Uniqueness

Uniqueness Score: -1.00%

Function 007FC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 007FC746
GetWindowRect.USER32(00000000,?), ref: 007FC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007FC7B6
GetDlgItem.USER32(?,00000002), ref: 007FC7C1
GetWindowRect.USER32(00000000,?), ref: 007FC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007FC827
GetDlgItem.USER32(?,000003E9), ref: 007FC835
GetWindowRect.USER32(00000000,?), ref: 007FC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007FC889
GetDlgItem.USER32(?,000003EA), ref: 007FC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007FC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 007FC8C1

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1f9da9c964ce11980ef66bbedb7361e07e67cc03c7c2faf8a4a07d10bff37d4e
Instruction ID: 2b7c16b9651b60a6302aa3435a7bfa6c1ddc89567581e5f9d22d635367156309
Opcode Fuzzy Hash: 1f9da9c964ce11980ef66bbedb7361e07e67cc03c7c2faf8a4a07d10bff37d4e
Instruction Fuzzy Hash: 78512E71B00209AFDB18CFA9DD89AAEBBB6FB98710F14813DF615D6291D7709D01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007A201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007A2036,?,00000000,?,?,?,?,007A16CB,00000000,?), ref: 007A1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007A20D3
KillTimer.USER32(-00000001,?,?,?,?,007A16CB,00000000,?,?,007A1AE2,?,?), ref: 007A216E
DestroyAcceleratorTable.USER32(00000000), ref: 007DBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007A16CB,00000000,?,?,007A1AE2,?,?), ref: 007DBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007A16CB,00000000,?,?,007A1AE2,?,?), ref: 007DBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007A16CB,00000000,?,?,007A1AE2,?,?), ref: 007DBF5A
DeleteObject.GDI32(00000000), ref: 007DBF6C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c5fce75017cac9c94a852ff20d61ee64d51beca91249d248b885aec7446afcb9
Instruction ID: 845246e067844c3f275ee64f52295920afbeb03a5d06f1314ba38f5b381b0bfe
Opcode Fuzzy Hash: c5fce75017cac9c94a852ff20d61ee64d51beca91249d248b885aec7446afcb9
Instruction Fuzzy Hash: 99619C31100651DFCB359F28DD48B2AB7F2FF81316F118639E54287A62C779A8A2DF90

Uniqueness

Uniqueness Score: -1.00%

Function 007A21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007A25DB: GetWindowLongW.USER32(?,000000EB), ref: 007A25EC

GetSysColor.USER32(0000000F), ref: 007A21D3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c35066c91d96b4b0381ed2be458006837f2f406adcf5a8d9a1675b46ef3fae2a
Instruction ID: 02465d50cc1af5ef3db63b591fd943bd238cea9e0a43ddb805c735559ac0f02d
Opcode Fuzzy Hash: c35066c91d96b4b0381ed2be458006837f2f406adcf5a8d9a1675b46ef3fae2a
Instruction Fuzzy Hash: B2418E311001549ADB265F2CDC48BB93B76FB86321F198366FE658A2E3C7398C43DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0080AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0082F910), ref: 0080AB76
GetDriveTypeW.KERNEL32(00000061,0085A620,00000061), ref: 0080AC40
_wcscpy.LIBCMT ref: 0080AC6A

Strings

cdrom, xrefs: 0080AB92
fixed, xrefs: 0080ABBE
removable, xrefs: 0080ABA8
ramdisk, xrefs: 0080ABEA
network, xrefs: 0080ABD4
unknown, xrefs: 0080AC01
all, xrefs: 0080AB7C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 128b7490300bace293bb9356807d0f7c08908a66254857b08da3a22f4d969731
Instruction ID: cfc816abb107652a6215629732d043c94cdbb740c0acde7db55d84fad9d289dd
Opcode Fuzzy Hash: 128b7490300bace293bb9356807d0f7c08908a66254857b08da3a22f4d969731
Instruction Fuzzy Hash: 2751AA30208305DBC718EF14CC95AAAB7A5FF81314F004A2DF996972E2EB35D949CA93

Uniqueness

Uniqueness Score: -1.00%

Function 007A9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 007A99C2
__swprintf.LIBCMT ref: 007A9A0C
__i64tow.LIBCMT ref: 007DFA0F

Strings

True, xrefs: 007DF9D0
%.15g, xrefs: 007A9A06
0x%p, xrefs: 007DF9F1
False, xrefs: 007DF9D7

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: cc0674ec1872e16b3301f691402881f8611fd4a69e7889268a47886c5a043d3d
Instruction ID: b7d347415f9801752245393d70a5a5c57f5cf947305aa8a8ab554dae73825663
Opcode Fuzzy Hash: cc0674ec1872e16b3301f691402881f8611fd4a69e7889268a47886c5a043d3d
Instruction Fuzzy Hash: 0E41C371A04205FFDB249B38DC46F7B73F8EB85300F20456FE64AD6291EA79A942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008273C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008273D9
CreateMenu.USER32 ref: 008273F4
SetMenu.USER32(?,00000000), ref: 00827403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00827490
IsMenu.USER32(?), ref: 008274A6
CreatePopupMenu.USER32 ref: 008274B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008274DD
DrawMenuBar.USER32 ref: 008274E5

Strings

F, xrefs: 008274D1
0, xrefs: 008273CF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: b4c533007d0d35f580dddbfc94c5b2d4ba8ea0ef74f5ab756e1521a7f7c273c5
Instruction ID: e0463dfe2d8ea8434c41d413a1ae36130b0e07feb8aa86144fd448645b99906c
Opcode Fuzzy Hash: b4c533007d0d35f580dddbfc94c5b2d4ba8ea0ef74f5ab756e1521a7f7c273c5
Instruction Fuzzy Hash: BF416874A00219EFDB20EF65E984E9ABBB9FF49300F144028FA05E73A1D730A960CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0082772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008277CD
CreateCompatibleDC.GDI32(00000000), ref: 008277D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008277E7
SelectObject.GDI32(00000000,00000000), ref: 008277EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 008277FA
DeleteDC.GDI32(00000000), ref: 00827803
GetWindowLongW.USER32(?,000000EC), ref: 0082780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00827821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0082782D

Strings

static, xrefs: 00827765

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: abc2e3ac2be5b9da768ed2be62b3b424b236ea8375b5168e17d630acf12603d8
Instruction ID: 99dd8924998939a782abbe5e31132ca64f35a9f15af3b505faa6f6f511f509da
Opcode Fuzzy Hash: abc2e3ac2be5b9da768ed2be62b3b424b236ea8375b5168e17d630acf12603d8
Instruction Fuzzy Hash: 27318C31105125ABDF229F65EC08FDA3BB9FF09721F114235FA15E60A1C731D862DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007C7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C707B

Part of subcall function 007C8D68: __getptd_noexit.LIBCMT ref: 007C8D68

__gmtime64_s.LIBCMT ref: 007C7114
__gmtime64_s.LIBCMT ref: 007C714A
__gmtime64_s.LIBCMT ref: 007C7167
__allrem.LIBCMT ref: 007C71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007C71D9
__allrem.LIBCMT ref: 007C71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007C720E
__allrem.LIBCMT ref: 007C7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007C7243
__invoke_watson.LIBCMT ref: 007C72B4

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 9dd0d435f739fcd3189137181cd3df629fbab80a3eba8aaff7ba087bb04de1b9
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: C171B571A04716EBD7189E79CC46F5AB3B9BF54320F14822EF914E6381EB78DA40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00802A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00802A31
GetMenuItemInfoW.USER32(00866890,000000FF,00000000,00000030), ref: 00802A92
SetMenuItemInfoW.USER32(00866890,00000004,00000000,00000030), ref: 00802AC8
Sleep.KERNEL32(000001F4), ref: 00802ADA
GetMenuItemCount.USER32(?), ref: 00802B1E
GetMenuItemID.USER32(?,00000000), ref: 00802B3A
GetMenuItemID.USER32(?,-00000001), ref: 00802B64
GetMenuItemID.USER32(?,?), ref: 00802BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00802BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00802C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00802C24

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: aeead10a04d37a813edcf82a00f22072511ab4442c990c5f2fe3a0234b376f06
Instruction ID: 8194ad00c5b8a10a4c71587f54854ff46b655e98687e3b32f648093f4063a4b8
Opcode Fuzzy Hash: aeead10a04d37a813edcf82a00f22072511ab4442c990c5f2fe3a0234b376f06
Instruction Fuzzy Hash: DE61D0B0900249EFEB61CF64CD9CEAEBBB8FB01314F104469E841E7291DBB1AD15DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00827192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00827214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00827217
GetWindowLongW.USER32(?,000000F0), ref: 0082723B
_memset.LIBCMT ref: 0082724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0082725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008272D6

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: de695be6210a09b3e666acc48cf210f20fff103d4665d15d9b9bc692758a69c7
Instruction ID: 4513b9745626e2ab10f265af47dd8db2279af5495c9d0d42b160c20ba4c8809e
Opcode Fuzzy Hash: de695be6210a09b3e666acc48cf210f20fff103d4665d15d9b9bc692758a69c7
Instruction Fuzzy Hash: 7D617871900258AFDB10DFA8DC85EEE77B8FB09704F10016AFA14E73A1D774A991DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007F710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007F7135
SafeArrayAllocData.OLEAUT32(?), ref: 007F718E
VariantInit.OLEAUT32(?), ref: 007F71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 007F71C0
VariantCopy.OLEAUT32(?,?), ref: 007F7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 007F7227
VariantClear.OLEAUT32(?), ref: 007F723C
SafeArrayDestroyData.OLEAUT32(?), ref: 007F7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007F7252
VariantClear.OLEAUT32(?), ref: 007F7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007F726F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 855dbdc84f8142f9ea3fa687746036f89bfae865da18cc8ccab331dfbb881b4f
Instruction ID: c0664dd052715ccdb1a4d72263377a71f3095f96564349562a3c54bf97805e3d
Opcode Fuzzy Hash: 855dbdc84f8142f9ea3fa687746036f89bfae865da18cc8ccab331dfbb881b4f
Instruction Fuzzy Hash: 5341303590411DEFCB14EF64D8489AEBBB9FF48354F008075FA15A7361DB74A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00815A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00815AA6
inet_addr.WSOCK32(?,?,?), ref: 00815AEB
gethostbyname.WSOCK32(?), ref: 00815AF7
IcmpCreateFile.IPHLPAPI ref: 00815B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00815B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00815B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00815C00
WSACleanup.WSOCK32 ref: 00815C06

Strings

Ping, xrefs: 00815B29

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: cf7ab8837be77e5014dbf70b3fb4d67b0b8668182b00941b3a797ebf084c560d
Instruction ID: 56c1f9f51a946ab45b7960fade3fcf157da8341228c2a8cb1aaea192231cb2fe
Opcode Fuzzy Hash: cf7ab8837be77e5014dbf70b3fb4d67b0b8668182b00941b3a797ebf084c560d
Instruction Fuzzy Hash: 48518031608700DFDB219F24CC89B6ABBE8FF85720F14892AF655DB2A1DB74E840CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0080B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0080B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0080B7B1
GetLastError.KERNEL32 ref: 0080B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0080B828

Strings

READONLY, xrefs: 0080B7F3
READY, xrefs: 0080B801
INVALID, xrefs: 0080B7FA
NOTREADY, xrefs: 0080B7E7
UNKNOWN, xrefs: 0080B7E0

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b55f0306455f7698ad4b7fd7d3858dc40918285c785cbd28a706fbcdfe162582
Instruction ID: 6411bb4630050fb99294df1be461e569e86e4ec5001b8ba1383f16e3b684b8e0
Opcode Fuzzy Hash: b55f0306455f7698ad4b7fd7d3858dc40918285c785cbd28a706fbcdfe162582
Instruction Fuzzy Hash: BC31C035A00209DFCB54EF64CC89AAE7BB8FF85700F108129EA12D72D1DB359D02C751

Uniqueness

Uniqueness Score: -1.00%

Function 007F9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 007FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007FB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007F94F6
GetDlgCtrlID.USER32 ref: 007F9501
GetParent.USER32 ref: 007F951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 007F9520
GetDlgCtrlID.USER32(?), ref: 007F9529
GetParent.USER32(?), ref: 007F9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 007F9548

Strings

ListBox, xrefs: 007F94B3
ComboBox, xrefs: 007F947E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c7dd85592954c1273fbd765537b1534978ec71855da3b6fe08d9bf7bc97c4ba3
Instruction ID: 7cd1bf1c5c4494efee10caa851da0dc6721ba644f88805b4de8f2f5df94ea26f
Opcode Fuzzy Hash: c7dd85592954c1273fbd765537b1534978ec71855da3b6fe08d9bf7bc97c4ba3
Instruction Fuzzy Hash: 8D219274A00108BBCF05AB64CC89EFEBB74FF95310F104265BA61972E2EB795919DA20

Uniqueness

Uniqueness Score: -1.00%

Function 007F955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 007FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007FB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007F95DF
GetDlgCtrlID.USER32 ref: 007F95EA
GetParent.USER32 ref: 007F9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 007F9609
GetDlgCtrlID.USER32(?), ref: 007F9612
GetParent.USER32(?), ref: 007F962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 007F9631

Strings

ListBox, xrefs: 007F959E
ComboBox, xrefs: 007F9569

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 59ab8c88be6592abe678c0fa943b35fd7cb0ba75516d50f1926ffea7f70f03f3
Instruction ID: fc06c181f5ec641381b472fb2e7cea8b2b678b93104e6a006940eb824af9d31e
Opcode Fuzzy Hash: 59ab8c88be6592abe678c0fa943b35fd7cb0ba75516d50f1926ffea7f70f03f3
Instruction Fuzzy Hash: C3218674A00108BBDF15AB60CC85EFEBB74FF59300F104165FB61972A2EB795519DA20

Uniqueness

Uniqueness Score: -1.00%

Function 007F9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007F9651
GetClassNameW.USER32(00000000,?,00000100), ref: 007F9666
_wcscmp.LIBCMT ref: 007F9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007F96F3

Strings

list, xrefs: 007F96D5
smallicons, xrefs: 007F96BB
largeicons, xrefs: 007F9687
details, xrefs: 007F96A1
SHELLDLL_DefView, xrefs: 007F9672

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 21345480fabeb5b2ae4447ce9e966d274bc56a4c95611f2f542a76a15504c23a
Instruction ID: 630cc82c7aef31213e20708e216a6c257535b89da10ab309e59c176d340688e4
Opcode Fuzzy Hash: 21345480fabeb5b2ae4447ce9e966d274bc56a4c95611f2f542a76a15504c23a
Instruction Fuzzy Hash: C0110A7A24830BFAF6112620DC0AFB6779CEB04761B20412AFF10E52D1FE5E69158958

Uniqueness

Uniqueness Score: -1.00%

Function 00818BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00818BEC
CoInitialize.OLE32(00000000), ref: 00818C19
CoUninitialize.OLE32 ref: 00818C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00818D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00818E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00832C0C), ref: 00818E84
CoGetObject.OLE32(?,00000000,00832C0C,?), ref: 00818EA7
SetErrorMode.KERNEL32(00000000), ref: 00818EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00818F3A
VariantClear.OLEAUT32(?), ref: 00818F4A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 02d1f63fec6e18b5e563e326e38bf1a0f93b4cfb511c163b3c4c2248b0db6e32
Instruction ID: 2c7fcc2775a74001979af3e8d6200aaa7ebef50db35b8a79a930c176e22d318d
Opcode Fuzzy Hash: 02d1f63fec6e18b5e563e326e38bf1a0f93b4cfb511c163b3c4c2248b0db6e32
Instruction Fuzzy Hash: 78C1F0B1208305EF8700DF68C88596ABBE9FF89748F00496DF58ADB251DB71ED46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00804189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0080419D
__swprintf.LIBCMT ref: 008041AA

Part of subcall function 007C38D8: __woutput_l.LIBCMT ref: 007C3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 008041D4
LoadResource.KERNEL32(?,00000000), ref: 008041E0
LockResource.KERNEL32(00000000), ref: 008041ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0080420D
LoadResource.KERNEL32(?,00000000), ref: 0080421F
SizeofResource.KERNEL32(?,00000000), ref: 0080422E
LockResource.KERNEL32(?), ref: 0080423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0080429B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 1c47ac6395447925879284ce5cdb07965e21af795b8d35dcf9e86e93599b14cc
Instruction ID: 4176d73ce95a80bb0e2fe75b2e855cb6a7dc55c7d45354550a9f958ea6bb1e9a
Opcode Fuzzy Hash: 1c47ac6395447925879284ce5cdb07965e21af795b8d35dcf9e86e93599b14cc
Instruction Fuzzy Hash: 4D31AEB164520AABDB119F60DD48EBB7BBCFF05301F008529FA02D2191D774DA62CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008016DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00801700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00800778,?,00000001), ref: 00801714
GetWindowThreadProcessId.USER32(00000000), ref: 0080171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00800778,?,00000001), ref: 0080172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0080173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00800778,?,00000001), ref: 00801755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00800778,?,00000001), ref: 00801767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00800778,?,00000001), ref: 008017AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00800778,?,00000001), ref: 008017C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00800778,?,00000001), ref: 008017CC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e92ba25d4bf059dee1c45b3141a8ff8f706abaabe13931fa083d61dd1dca2019
Instruction ID: 55955ba0140b84dcac061f5ee7cc53f9c13280e3080f8fc1e10e160e965ba8d2
Opcode Fuzzy Hash: e92ba25d4bf059dee1c45b3141a8ff8f706abaabe13931fa083d61dd1dca2019
Instruction Fuzzy Hash: 0C31BB75600204BBEF219F24ED88F693BB9FB25725F118028FA01C62E4DBB49D40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007FA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,007FAA64), ref: 007FA9A2

Strings

REGEXPCLASS, xrefs: 007FA767
TEXT, xrefs: 007FA8D9
CLASSNN, xrefs: 007FA744
NAME, xrefs: 007FA7D4
CLASS, xrefs: 007FA721
INSTANCE, xrefs: 007FA8B0

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 80579134774073acfe7448ffb34330b150137fc082cb6c92c74e23301e673b1a
Instruction ID: 6b8ca6d334ecf05150d8fe167f4cb0b1c534850bda60a0a2a8fdc72452f21488
Opcode Fuzzy Hash: 80579134774073acfe7448ffb34330b150137fc082cb6c92c74e23301e673b1a
Instruction Fuzzy Hash: E89184B060010AEADB08DF60C485BF9FBB4FF14354F508129DA9EA7251DB787A5DCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007A2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007A2EAE

Part of subcall function 007A1DB3: GetClientRect.USER32(?,?), ref: 007A1DDC
Part of subcall function 007A1DB3: GetWindowRect.USER32(?,?), ref: 007A1E1D
Part of subcall function 007A1DB3: ScreenToClient.USER32(?,?), ref: 007A1E45

GetDC.USER32 ref: 007DCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007DCF95
SelectObject.GDI32(00000000,00000000), ref: 007DCFA3
SelectObject.GDI32(00000000,00000000), ref: 007DCFB8
ReleaseDC.USER32(?,00000000), ref: 007DCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007DD04B

Strings

U, xrefs: 007DCF20

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6bff3a9d81ad024b9da2d3ba3720ddb439a97645d61419d8622fdfb65e403643
Instruction ID: 01c14d853f5b0546bf593bb1b5105c842e241f4cf5c2102d660406a18c6e36c0
Opcode Fuzzy Hash: 6bff3a9d81ad024b9da2d3ba3720ddb439a97645d61419d8622fdfb65e403643
Instruction Fuzzy Hash: 7071E531504205DFCF319F68C884AFA7BB6FF89310F14426AED559A266D7398C92DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0082C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

Part of subcall function 007A2344: GetCursorPos.USER32(?), ref: 007A2357
Part of subcall function 007A2344: ScreenToClient.USER32(008667B0,?), ref: 007A2374
Part of subcall function 007A2344: GetAsyncKeyState.USER32(00000001), ref: 007A2399
Part of subcall function 007A2344: GetAsyncKeyState.USER32(00000002), ref: 007A23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0082C2E4
ImageList_EndDrag.COMCTL32 ref: 0082C2EA
ReleaseCapture.USER32 ref: 0082C2F0
SetWindowTextW.USER32(?,00000000), ref: 0082C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0082C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0082C48F

Strings

@GUI_DRAGFILE, xrefs: 0082C424
@GUI_DROPID, xrefs: 0082C3E1

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: d6739484f4c99a0185f47285597b0a1f422ad7e0b90ddddc20eb2d6eedb05ea3
Instruction ID: 00c2673ae2b95c05949cff43d88252bbaef6a994dfddc6afacfc3ea61ea0eaa0
Opcode Fuzzy Hash: d6739484f4c99a0185f47285597b0a1f422ad7e0b90ddddc20eb2d6eedb05ea3
Instruction Fuzzy Hash: B6518D70204244EFD714EF24D859F6A7BE5FB88310F00862DF6518B2A2DB759999CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00818F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0082F910), ref: 0081903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0082F910), ref: 00819071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008191EB
SysFreeString.OLEAUT32(?), ref: 00819215

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: aca5d32c7a7fa0790a05fc2744d78fa246615a20661673b96afc668f6d3d1746
Instruction ID: f17c732a42729459481e5e4a06a0a20070021f926851b0fa668a2184d846e7a5
Opcode Fuzzy Hash: aca5d32c7a7fa0790a05fc2744d78fa246615a20661673b96afc668f6d3d1746
Instruction Fuzzy Hash: 3EF11571A00109EFCB04DF94C898EEEB7B9FF89314F108059F556AB251DB35AE86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0081F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0081F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0081FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0081FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0081FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0081FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0081FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0081FD90
CloseHandle.KERNEL32(?), ref: 0081FDBF
CloseHandle.KERNEL32(?), ref: 0081FE36

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 4e17f05ffde3464f8722333d663bb55bceaf6e6452182ac245234f1e14bd0a4e
Instruction ID: d0aefd8e11e04cc7c6885d11e8893cd9c34d700044bf581304ec4993e5eeb869
Opcode Fuzzy Hash: 4e17f05ffde3464f8722333d663bb55bceaf6e6452182ac245234f1e14bd0a4e
Instruction Fuzzy Hash: BBE19E31204201DFC714EF24C895BAABBE4FF85314F14856DFA999B2A2DB35EC81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00804F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008048AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008038D3,?), ref: 008048C7

Part of subcall function 008048AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008038D3,?), ref: 008048E0

Part of subcall function 00804CD3: GetFileAttributesW.KERNEL32(?,00803947), ref: 00804CD4

lstrcmpiW.KERNEL32(?,?), ref: 00804FE2
_wcscmp.LIBCMT ref: 00804FFC
MoveFileW.KERNEL32(?,?), ref: 00805017

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 94463a3d7eba1465cef2fc78cc6678facb7dd02b595fd8491899f6f7d89c70e3
Instruction ID: 1caf81958214275b84d11669d945b979e663b9d043e207898a1a89ad3bad77c6
Opcode Fuzzy Hash: 94463a3d7eba1465cef2fc78cc6678facb7dd02b595fd8491899f6f7d89c70e3
Instruction Fuzzy Hash: E15174B20087859BD764DB54CC85DDFB7ECEF85300F00492EB685D3192EE74A289CB66

Uniqueness

Uniqueness Score: -1.00%

Function 008288B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0082896E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: be9e54a29356c5fec0091e252c1ec0edc0932b15098e991e5e1b14d01b9f2b4d
Instruction ID: 48535c64f8fa19cfde6d43775e63b0e33596094aa059f3ad661ee40e6c0251bf
Opcode Fuzzy Hash: be9e54a29356c5fec0091e252c1ec0edc0932b15098e991e5e1b14d01b9f2b4d
Instruction Fuzzy Hash: E3519130502278FEDF309F28AC89BA97B65FB05354F604122F512E65A2DF71A9D0DB82

Uniqueness

Uniqueness Score: -1.00%

Function 007A2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007DC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007DC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007DC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007DC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007DC5C0
DestroyIcon.USER32(00000000), ref: 007DC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007DC5EC
DestroyIcon.USER32(?), ref: 007DC5FB

Part of subcall function 0082A71E: DeleteObject.GDI32(00000000), ref: 0082A757

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: b05a345e77695e2f27964794fd244d91a1c366b78dfcae98d7e6e0c919078d22
Instruction ID: 38b693f1b35b2bf9c815c10d3b04f48b31aede1e747d1b81db113101f82790e3
Opcode Fuzzy Hash: b05a345e77695e2f27964794fd244d91a1c366b78dfcae98d7e6e0c919078d22
Instruction Fuzzy Hash: C5513A70600206EFDB24DF28DC45FAA77B5FB95310F104629F942972A1EBB8ED91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 007F9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007FAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 007FAE77
Part of subcall function 007FAE57: GetCurrentThreadId.KERNEL32 ref: 007FAE7E
Part of subcall function 007FAE57: AttachThreadInput.USER32(00000000,?,007F9B65,?,00000001), ref: 007FAE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 007F9B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007F9B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007F9B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 007F9B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007F9BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007F9BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 007F9BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007F9BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007F9BDD

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: ac57b26cfc95ff4aa49cdf8407ca1015a3b7bafdbedab40c18773fa4e364c436
Instruction ID: 0986ab5c7796a4c273a65240f31bce2d2e2386eebd33b07cffacfca753b14d33
Opcode Fuzzy Hash: ac57b26cfc95ff4aa49cdf8407ca1015a3b7bafdbedab40c18773fa4e364c436
Instruction Fuzzy Hash: 0811E1B1550218FEF6206B60DC8EF6A3B2DEB4CB51F504425F348AB1A1CAF25C21DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 007F8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007F8A84,00000B00,?,?), ref: 007F8E0C
HeapAlloc.KERNEL32(00000000,?,007F8A84,00000B00,?,?), ref: 007F8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007F8A84,00000B00,?,?), ref: 007F8E28
GetCurrentProcess.KERNEL32(?,00000000,?,007F8A84,00000B00,?,?), ref: 007F8E30
DuplicateHandle.KERNEL32(00000000,?,007F8A84,00000B00,?,?), ref: 007F8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007F8A84,00000B00,?,?), ref: 007F8E43
GetCurrentProcess.KERNEL32(007F8A84,00000000,?,007F8A84,00000B00,?,?), ref: 007F8E4B
DuplicateHandle.KERNEL32(00000000,?,007F8A84,00000B00,?,?), ref: 007F8E4E
CreateThread.KERNEL32(00000000,00000000,007F8E74,00000000,00000000,00000000), ref: 007F8E68

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: dfb04c9742929dd7e76bf43b18419a6329cab92e88038dfe2dd42f18ce446df8
Instruction ID: 5ec84af09126b35e4a5b4e4d77035379af61074f2d5613e905416f7aab36bfca
Opcode Fuzzy Hash: dfb04c9742929dd7e76bf43b18419a6329cab92e88038dfe2dd42f18ce446df8
Instruction Fuzzy Hash: A901ACB5640308FFE621AB65DD4AF6B3B6CFB89711F408421FB05DB191CA749811CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00819428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0081947C
VariantInit.OLEAUT32(?), ref: 0081954D
VariantInit.OLEAUT32(?), ref: 0081964E
VariantClear.OLEAUT32(?), ref: 00819658
VariantClear.OLEAUT32(?), ref: 008196B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00819631
Null Object assignment in FOR..IN loop, xrefs: 008194DD, 0081960B, 008196C3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: d07266a2f07328ad3049b4d718429d9c38e7fbe9e503010ef7f0b20f0344e602
Instruction ID: fd4e40c0b877e89355d2feffcd7e7bc4d9f9997260685dbe1a2bf691b60b64b2
Opcode Fuzzy Hash: d07266a2f07328ad3049b4d718429d9c38e7fbe9e503010ef7f0b20f0344e602
Instruction Fuzzy Hash: 6791BC70A00209ABDF24DFA4C858FEEB7B8FF95714F108159F559EB280D7709985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00819A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 007F7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?,?,?,007F799D), ref: 007F766F
Part of subcall function 007F7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?,?), ref: 007F768A
Part of subcall function 007F7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?,?), ref: 007F7698
Part of subcall function 007F7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?), ref: 007F76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00819B1B
_memset.LIBCMT ref: 00819B28
_memset.LIBCMT ref: 00819C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00819C97
CoTaskMemFree.OLE32(?), ref: 00819CA2

Strings

NULL Pointer assignment, xrefs: 00819CF0

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 5eb45fb1cbff51a629a9dd50e5c87f9e72798722a2e1d6d353a7069e3a259a0a
Instruction ID: fdc1caf9fdbd7d31cd155f1c1933bb3b1da2d6a98bea9a07bdd5accc96998795
Opcode Fuzzy Hash: 5eb45fb1cbff51a629a9dd50e5c87f9e72798722a2e1d6d353a7069e3a259a0a
Instruction Fuzzy Hash: 5D913971D00229EBDB10DFA4DC94EDEBBB8FF49710F10816AE519A7241EB355A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00826FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00827093
SendMessageW.USER32(?,00001036,00000000,?), ref: 008270A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008270C1
_wcscat.LIBCMT ref: 0082711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00827133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00827161

Strings

SysListView32, xrefs: 00827065

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 26fd7036448bb8d7175fc09525b7bfb82ef1ee9a2f79cfc938443012802558b7
Instruction ID: 438699e6d29f5b76b2c5bd29fcea58a997ef7769a341b725f85dadf7af01f5c2
Opcode Fuzzy Hash: 26fd7036448bb8d7175fc09525b7bfb82ef1ee9a2f79cfc938443012802558b7
Instruction Fuzzy Hash: 6341A270904318EBEB219FA4DC89BEE77B8FF08350F10452AF944E7292D6759D89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0081EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00803E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00803EB6
Part of subcall function 00803E91: Process32FirstW.KERNEL32(00000000,?), ref: 00803EC4
Part of subcall function 00803E91: CloseHandle.KERNEL32(00000000), ref: 00803F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0081ECB8
GetLastError.KERNEL32 ref: 0081ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0081ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0081ED77
GetLastError.KERNEL32(00000000), ref: 0081ED82
CloseHandle.KERNEL32(00000000), ref: 0081EDB7

Strings

SeDebugPrivilege, xrefs: 0081ECD6

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2d5013f9b5193fbf35aff510c117109e6055ad9b2f37b4495d308d45fd7fdfb5
Instruction ID: 0dcbbc37c19f8822ebf58a37080f3500b80b2423e6fb557995c46e02dc83ed5a
Opcode Fuzzy Hash: 2d5013f9b5193fbf35aff510c117109e6055ad9b2f37b4495d308d45fd7fdfb5
Instruction Fuzzy Hash: D4419C702002009FDB21EF18CC99FADB7A4FF81714F088059FA429B2D2DB79A854CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00803226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008032C5

Strings

stop, xrefs: 00803296
blank, xrefs: 00803247
question, xrefs: 0080327E
info, xrefs: 00803266
warning, xrefs: 008032AE

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: cde8d078985e080ee6474ef7b7de114e6da01c22c265910e5e2f074bc0cc2b0e
Instruction ID: 068fa24bf4262a422cbce4db40b2eaa95b6eb03d17dbecc255c4dc0e25634c22
Opcode Fuzzy Hash: cde8d078985e080ee6474ef7b7de114e6da01c22c265910e5e2f074bc0cc2b0e
Instruction Fuzzy Hash: 57116A3520874ABFE7455B54DC83D6AB79CFF09376F20002EF900E62C1E7B95B4045A5

Uniqueness

Uniqueness Score: -1.00%

Function 00804534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0080454E
LoadStringW.USER32(00000000), ref: 00804555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0080456B
LoadStringW.USER32(00000000), ref: 00804572
_wprintf.LIBCMT ref: 00804598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008045B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00804593

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: b0925c3fa080ecd281e63e2724652593fd8784e91cbe7f68bc6e526f06e87bb9
Instruction ID: b597334e8df2d027a5a6b5ef9a7d54439cb6de884742d510efb5caa05c483510
Opcode Fuzzy Hash: b0925c3fa080ecd281e63e2724652593fd8784e91cbe7f68bc6e526f06e87bb9
Instruction Fuzzy Hash: 0C0167F2500208BFE7619794DD89EE7777CFB08301F4045B5BB45E2152E6745E858B70

Uniqueness

Uniqueness Score: -1.00%

Function 0082D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

GetSystemMetrics.USER32(0000000F), ref: 0082D78A
GetSystemMetrics.USER32(0000000F), ref: 0082D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0082D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0082DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0082DA24
ShowWindow.USER32(00000003,00000000), ref: 0082DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0082DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0082DA8B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 56be6f67c2584fb80e23307c6579902cba318012e27f9219c97d8b4e52a2a6db
Instruction ID: c7396b2cf57098dbe8f757ca762a2efd2329565fa3b0afe2d91887f55dc757ea
Opcode Fuzzy Hash: 56be6f67c2584fb80e23307c6579902cba318012e27f9219c97d8b4e52a2a6db
Instruction Fuzzy Hash: 60B16671600229AFDF18CF68D985BAD7BB1FF48701F088169ED49DB296D734A990CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007A2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007DC417,00000004,00000000,00000000,00000000), ref: 007A2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,007DC417,00000004,00000000,00000000,00000000,000000FF), ref: 007A2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,007DC417,00000004,00000000,00000000,00000000), ref: 007DC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007DC417,00000004,00000000,00000000,00000000), ref: 007DC4D6

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e5c50f2582590f7c3941a7aa670707cd4510d94071e25b1b8e3f6301886c9dc2
Instruction ID: dc9ec9d8d2ea08425506bb50185ea135e1972b959a58fea6703b106a93f09857
Opcode Fuzzy Hash: e5c50f2582590f7c3941a7aa670707cd4510d94071e25b1b8e3f6301886c9dc2
Instruction Fuzzy Hash: BC41E9312046C1EAC7368B2C8D9CA7B7BA2BFD7300F14C62AE94786663D67D9843D710

Uniqueness

Uniqueness Score: -1.00%

Function 00807368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0080737F

Part of subcall function 007C0FF6: std::exception::exception.LIBCMT ref: 007C102C
Part of subcall function 007C0FF6: __CxxThrowException@8.LIBCMT ref: 007C1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008073B6
EnterCriticalSection.KERNEL32(?), ref: 008073D2
_memmove.LIBCMT ref: 00807420
_memmove.LIBCMT ref: 0080743D
LeaveCriticalSection.KERNEL32(?), ref: 0080744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00807461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00807480

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d830078f96dff4b0f8d17660ed5d72576a71d4589a3af6738aeaaf6a646afadb
Instruction ID: 74ed2f71f8a370ef2976f74f5516844401be596fc613a6822ffe6f7e471a2a45
Opcode Fuzzy Hash: d830078f96dff4b0f8d17660ed5d72576a71d4589a3af6738aeaaf6a646afadb
Instruction Fuzzy Hash: 97318E31904205EBDB10DF54DD89EAE7BB8FF45710B5480B9F904EB246DB34DA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00826442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0082645A
GetDC.USER32(00000000), ref: 00826462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0082646D
ReleaseDC.USER32(00000000,00000000), ref: 00826479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008264B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008264C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00829299,?,?,000000FF,00000000,?,000000FF,?), ref: 00826500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00826520

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 25797b82ed190d85846fbfbedd6dc58a80f8bf94675c00836cd89b094c8f2a4e
Instruction ID: 63683fac35b59bf169e15014b1428830d23c23ab551aa58537f5de15fc04fe39
Opcode Fuzzy Hash: 25797b82ed190d85846fbfbedd6dc58a80f8bf94675c00836cd89b094c8f2a4e
Instruction Fuzzy Hash: 0B316D72201214BFEB218F50DD4AFEA3FA9FF19761F044065FE08DA192D6759C52CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007FC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 007FC087
_memcmp.LIBCMT ref: 007FC0A9
_memcmp.LIBCMT ref: 007FC0C1
_memcmp.LIBCMT ref: 007FC0D4
_memcmp.LIBCMT ref: 007FC0EE
_memcmp.LIBCMT ref: 007FC101
_memcmp.LIBCMT ref: 007FC119
_memcmp.LIBCMT ref: 007FC134

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: aeb8899fff047fb973e21c0fdcff2157c5890fcd20b30dc0f14fd10c831a1789
Instruction ID: 3c1c746f1a1295c458a4bc828519aa2d12f839fda8c7257b2dbf004b078c1725
Opcode Fuzzy Hash: aeb8899fff047fb973e21c0fdcff2157c5890fcd20b30dc0f14fd10c831a1789
Instruction Fuzzy Hash: CA21A1B160020DF6D216A6258E56FBB235CAF513A4F444028FF05A6383EF5DDD22C1E5

Uniqueness

Uniqueness Score: -1.00%

Function 0080ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

Part of subcall function 007BFEC6: _wcscpy.LIBCMT ref: 007BFEE9

_wcstok.LIBCMT ref: 0080EEFF
_wcscpy.LIBCMT ref: 0080EF8E
_memset.LIBCMT ref: 0080EFC1

Strings

X, xrefs: 0080EFFE

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 9fcb2326e883c23ae3e8b38362acfb1a33bc8bdf80e215b10203ceb3e395511d
Instruction ID: 5182d383e0db3c90734cee3d2885dc714428aec3ad94dca69d15fe9c6c73f901
Opcode Fuzzy Hash: 9fcb2326e883c23ae3e8b38362acfb1a33bc8bdf80e215b10203ceb3e395511d
Instruction Fuzzy Hash: EFC16C71608701DFC764EF24C889A5AB7E4FF85310F008A6DF999972A2DB34ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00816E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00816F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00816F35
WSAGetLastError.WSOCK32(00000000), ref: 00816F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00816FFE
inet_ntoa.WSOCK32(?), ref: 00816FBB

Part of subcall function 007FAE14: _strlen.LIBCMT ref: 007FAE1E
Part of subcall function 007FAE14: _memmove.LIBCMT ref: 007FAE40

_strlen.LIBCMT ref: 00817058
_memmove.LIBCMT ref: 008170C1

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: eb79b1c9f00c464b282b2cc3cee135fa25a9eab49523b494eef28e13a1392fd8
Instruction ID: 64185b8ee0ad7cb014bad1b20aee288437d6b121d7b3827cc2628f33803b789e
Opcode Fuzzy Hash: eb79b1c9f00c464b282b2cc3cee135fa25a9eab49523b494eef28e13a1392fd8
Instruction Fuzzy Hash: 5B81E171508700EFC710EB24CC8AEABB7ADFF85714F10862CF6559B292EA749D41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007A1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd58e79385438ae9840ed215ec535a30a1439dd23b47049db036a906e248840e
Instruction ID: 0592b939f5f2d3dc3ad15f3d7724c0968b09204e13566a6220614534acf56a44
Opcode Fuzzy Hash: cd58e79385438ae9840ed215ec535a30a1439dd23b47049db036a906e248840e
Instruction Fuzzy Hash: F1718C30904149EFDB14CF98CC49ABEBB79FF8A310F54C259F915AA251C738AA51CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0082B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01234C08), ref: 0082B6A5
IsWindowEnabled.USER32(01234C08), ref: 0082B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0082B795
SendMessageW.USER32(01234C08,000000B0,?,?), ref: 0082B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0082B809
GetWindowLongW.USER32(01234C08,000000EC), ref: 0082B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0082B843

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ddaa6b2c33a14eb515fc40fead5e0699a482bfffc9db9f2422bdcf1938a024e3
Instruction ID: 3a968cf107e13f2a7c3cae88a9acc746cb0860126ce110e69a5ada2444c5f2ca
Opcode Fuzzy Hash: ddaa6b2c33a14eb515fc40fead5e0699a482bfffc9db9f2422bdcf1938a024e3
Instruction Fuzzy Hash: 0071BE34602264AFDB20DF64E894FBA7BB9FF99300F144069EA46D73A1D731AC91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0081F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0081F75C
_memset.LIBCMT ref: 0081F825
ShellExecuteExW.SHELL32(?), ref: 0081F86A

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

Part of subcall function 007BFEC6: _wcscpy.LIBCMT ref: 007BFEE9

GetProcessId.KERNEL32(00000000), ref: 0081F8E1
CloseHandle.KERNEL32(00000000), ref: 0081F910

Strings

@, xrefs: 0081F839

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: a7d923bd8877591831315ea00e19060fc24bfc4012ebdb62a536573698c83587
Instruction ID: 52ec2dde99fa212cf66fe505a466fd0cec66cdeadb6fa4f68181e434f59c918e
Opcode Fuzzy Hash: a7d923bd8877591831315ea00e19060fc24bfc4012ebdb62a536573698c83587
Instruction Fuzzy Hash: 67618F75A00619DFCB14EF54C484AAEBBF9FF89310F14856DE945AB352CB34AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0080145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0080149C
GetKeyboardState.USER32(?), ref: 008014B1
SetKeyboardState.USER32(?), ref: 00801512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00801540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0080155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 008015A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008015C8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 52e4f70be7409519737d44b2e597012ca016a64f1ecc32c2b8e0f68413674ab8
Instruction ID: 908b852c7b9adf257b712afc417df93a2ce54460e297c50d5e1dd51d0628c927
Opcode Fuzzy Hash: 52e4f70be7409519737d44b2e597012ca016a64f1ecc32c2b8e0f68413674ab8
Instruction Fuzzy Hash: 775103A06047D53EFF7642388C49BBABEAABB46324F088589E1D5CA8D3C795DC84D750

Uniqueness

Uniqueness Score: -1.00%

Function 00801276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008012B5
GetKeyboardState.USER32(?), ref: 008012CA
SetKeyboardState.USER32(?), ref: 0080132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00801357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00801374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008013B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008013D9

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 23e146fc95175664648fad1add781a1afab245bf02bc1530ba933af318e9c696
Instruction ID: 047ed1119f9c57d088da6a0193b36e52796d836a34a86baf536b0054f5dd5776
Opcode Fuzzy Hash: 23e146fc95175664648fad1add781a1afab245bf02bc1530ba933af318e9c696
Instruction Fuzzy Hash: 5E5104A09047D53EFF7683248C49B7ABFA9FB06320F088589E1D4C69C2D798AC84D751

Uniqueness

Uniqueness Score: -1.00%

Function 0080589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008058AC
_wcsncpy.LIBCMT ref: 008058E1
_wcsncpy.LIBCMT ref: 00805913
_wcsncpy.LIBCMT ref: 00805946
_wcsncpy.LIBCMT ref: 00805988
_wcsncpy.LIBCMT ref: 008059C2
_wcsncpy.LIBCMT ref: 008059F1

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: f3f7cd520232804f11708c96fc84e862e386389e964f57497ee12f363e3b0faf
Instruction ID: 1c3b7611e5317f5d166dc173f62d68485e78e0da24502208f26f0754d89ac11c
Opcode Fuzzy Hash: f3f7cd520232804f11708c96fc84e862e386389e964f57497ee12f363e3b0faf
Instruction Fuzzy Hash: 5D41A469D20628B6CB50EBB48C8EECF77A8EF04710F50855EF518E3162E638D715C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 008038AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008048AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008038D3,?), ref: 008048C7

Part of subcall function 008048AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008038D3,?), ref: 008048E0

lstrcmpiW.KERNEL32(?,?), ref: 008038F3
_wcscmp.LIBCMT ref: 0080390F
MoveFileW.KERNEL32(?,?), ref: 00803927
_wcscat.LIBCMT ref: 0080396F
SHFileOperationW.SHELL32(?), ref: 008039DB

Strings

\*.*, xrefs: 00803969

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 35642d7e785f9cbf38516df0ca9095b769ccf62e351f2ea14f4e7a7b1f641354
Instruction ID: 6b932dc7683af8ef578426f1686915b1211f2e30ea115488ed2512583ddc951f
Opcode Fuzzy Hash: 35642d7e785f9cbf38516df0ca9095b769ccf62e351f2ea14f4e7a7b1f641354
Instruction Fuzzy Hash: 464181B15083849AD791EF64C885ADBBBECFF89340F40192EB489C3191EA74D649C752

Uniqueness

Uniqueness Score: -1.00%

Function 00827500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00827519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008275C0
IsMenu.USER32(?), ref: 008275D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00827620
DrawMenuBar.USER32 ref: 00827633

Strings

0, xrefs: 0082750D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 9d340bac04977a6e7feb9dcfdfee95262554392faa72269139f74190ff1130f5
Instruction ID: 4220a5fccf97ab6b1efee5469876635c55ac01033e6ef22bca9a3733ab46feaa
Opcode Fuzzy Hash: 9d340bac04977a6e7feb9dcfdfee95262554392faa72269139f74190ff1130f5
Instruction Fuzzy Hash: BC413575A04619EFDB20DF66E984E9ABBF8FB18314F048129F915D7290D730AD90CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0082122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0082125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00821286
FreeLibrary.KERNEL32(00000000), ref: 0082133D

Part of subcall function 0082122D: RegCloseKey.ADVAPI32(?), ref: 008212A3
Part of subcall function 0082122D: FreeLibrary.KERNEL32(?), ref: 008212F5
Part of subcall function 0082122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00821318

RegDeleteKeyW.ADVAPI32(?,?), ref: 008212E0

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 9d65a885c23162ed10f50d675bc0d23deeb5c3add65a0d03f33d1113f23e00ac
Instruction ID: ca030b4f33ee8b8b09057c8e5eeb07da1bd440deaf631114431836aa548c9deb
Opcode Fuzzy Hash: 9d65a885c23162ed10f50d675bc0d23deeb5c3add65a0d03f33d1113f23e00ac
Instruction Fuzzy Hash: 0B31F6B1901119AEDF15DB94E889EFFB7BCFB18300F10416AB501E2251EA749E869AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0082653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0082655B
GetWindowLongW.USER32(01234C08,000000F0), ref: 0082658E
GetWindowLongW.USER32(01234C08,000000F0), ref: 008265C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008265F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0082661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00826630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0082664A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a813452af25e1e279de05f1b302fa89d2437229bdec4bea63c1f396a5272f33e
Instruction ID: 1de860a8cbab96b8cc2efafd57dde5672188b562be24c1f17a0a54797ff780f4
Opcode Fuzzy Hash: a813452af25e1e279de05f1b302fa89d2437229bdec4bea63c1f396a5272f33e
Instruction Fuzzy Hash: A5310330604160AFDB208F28ED85F5537E5FB5A710F194178F601CB2B6EB71ACA0DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00816486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008180A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008180CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008164D9
WSAGetLastError.WSOCK32(00000000), ref: 008164E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00816521
connect.WSOCK32(00000000,?,00000010), ref: 0081652A
WSAGetLastError.WSOCK32 ref: 00816534
closesocket.WSOCK32(00000000), ref: 0081655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00816576

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: bb18c6a7be93b71548198891f3246571a2af455e4e674ae0dbc13abb8fb3f331
Instruction ID: 6e486fc2978d4392e12c3798b9bf89a567a9392e8716ffe3a6f47745a86f77f9
Opcode Fuzzy Hash: bb18c6a7be93b71548198891f3246571a2af455e4e674ae0dbc13abb8fb3f331
Instruction Fuzzy Hash: 0C31B031600118AFDB109F24CC89BFA7BBDFF45724F008069FA45E7291EB74A955CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 007FE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007FE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007FE120
SysAllocString.OLEAUT32(00000000), ref: 007FE123
SysAllocString.OLEAUT32 ref: 007FE144
SysFreeString.OLEAUT32 ref: 007FE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 007FE167
SysAllocString.OLEAUT32(?), ref: 007FE175

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 90b107479a6424f5922f6768717b95268fceb17047b8db17564bcbdea9274d99
Instruction ID: 53b8871c866c00ebb7d63ab66588f7d99fdd33212d3fa83adab505282cf3293f
Opcode Fuzzy Hash: 90b107479a6424f5922f6768717b95268fceb17047b8db17564bcbdea9274d99
Instruction Fuzzy Hash: 3E21303560420CAF9B20AFA9DC89DBB77ECFB09760B508235FA15CB261DA74DC41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007FFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007FFB81
__wcsnicmp.LIBCMT ref: 007FFBA2
__wcsnicmp.LIBCMT ref: 007FFBBC

Strings

#notrayicon, xrefs: 007FFB79
#requireadmin, xrefs: 007FFB9C
#OnAutoItStartRegister, xrefs: 007FFBB6

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 19e5075b2af247a85084f045f3148010d8af7b66c32328379141d24bdf369287
Instruction ID: a71e1aedf2581018dbfcdaeaf98fbda0b39c538a452cfe0ab97007467933184f
Opcode Fuzzy Hash: 19e5075b2af247a85084f045f3148010d8af7b66c32328379141d24bdf369287
Instruction Fuzzy Hash: B3216772204628E6D230A634DC16FBB7398EF91310F108039FA8686341EF5CA982D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 0082783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007A1D73
Part of subcall function 007A1D35: GetStockObject.GDI32(00000011), ref: 007A1D87
Part of subcall function 007A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007A1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008278A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008278AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008278B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008278C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008278D4

Strings

Msctls_Progress32, xrefs: 00827872

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: bba35a1a1060b1395ad6c0f0cb29b2d3257c4e43d33187e16f059a2b3ba6aae6
Instruction ID: 2013c9c681d55a98935b49222dd58454c4920573a71f4def2bd0e756a857bfa1
Opcode Fuzzy Hash: bba35a1a1060b1395ad6c0f0cb29b2d3257c4e43d33187e16f059a2b3ba6aae6
Instruction Fuzzy Hash: 5F118EB2510229BFEF159E61CC85EE77F6DFF08798F014124FA04A2090D7729C61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007C41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,007C4292,?), ref: 007C41E3
GetProcAddress.KERNEL32(00000000), ref: 007C41EA
EncodePointer.KERNEL32(00000000), ref: 007C41F6
DecodePointer.KERNEL32(00000001,007C4292,?), ref: 007C4213

Strings

combase.dll, xrefs: 007C41DE
RoInitialize, xrefs: 007C41D2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: c558c6a41061892d731e54f65582c8784c00d63d00f000147986639b9a79819c
Instruction ID: dfa3005bc2ff849a712fc6b69ee7a1adfaf8d32888df172845a47e9d1eeadcf2
Opcode Fuzzy Hash: c558c6a41061892d731e54f65582c8784c00d63d00f000147986639b9a79819c
Instruction Fuzzy Hash: DBE012B0590304AFEB205F70EC0DB083AA5B756702F51B438F621D51A1DBFA4092CF00

Uniqueness

Uniqueness Score: -1.00%

Function 007C429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007C41B8), ref: 007C42B8
GetProcAddress.KERNEL32(00000000), ref: 007C42BF
EncodePointer.KERNEL32(00000000), ref: 007C42CA
DecodePointer.KERNEL32(007C41B8), ref: 007C42E5

Strings

combase.dll, xrefs: 007C42B3
RoUninitialize, xrefs: 007C42A7

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 391a810a5564afbaa53e7b20b225c6a16fd66408178f9ceb8a56a2c55e1f3b61
Instruction ID: 8fc459a5acab353a8e6632d080e74d1907578c7415e3995575e78df2d486abf9
Opcode Fuzzy Hash: 391a810a5564afbaa53e7b20b225c6a16fd66408178f9ceb8a56a2c55e1f3b61
Instruction Fuzzy Hash: 2AE0B678581300EBEB209B60FD0DB083AB4F726B42F11A03AF211E12A1CBB84591CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0080675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008068AD
_memmove.LIBCMT ref: 008067E8

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

_memmove.LIBCMT ref: 0080685B
_memmove.LIBCMT ref: 00806942
_memmove.LIBCMT ref: 0080695B
_memmove.LIBCMT ref: 00806977

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9878d26070b011936cad77e1676243b9e2a31e5d9705435f175891a5af6f413f
Instruction ID: 86948bcac243fba0bab8b8e6ec5bf73e259762429e9e5d1b3e5bd38029ceca19
Opcode Fuzzy Hash: 9878d26070b011936cad77e1676243b9e2a31e5d9705435f175891a5af6f413f
Instruction Fuzzy Hash: 9A619E3050025ADBDF11EF24CC85EFE3BA8EF85308F444629F9559B1D2EB38A961CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0082046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 008210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00820038,?,?), ref: 008210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00820548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00820588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 008205AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008205D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00820617
RegCloseKey.ADVAPI32(00000000), ref: 00820624

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: dce2d3ce209d792c51b311ddbd087077c0b6caaf3422a5b183d972568f869ebf
Instruction ID: 59ac6b32b03f80cc4be17e1f5487e719a23d3df47ee47bdf0baba0e2915d58fd
Opcode Fuzzy Hash: dce2d3ce209d792c51b311ddbd087077c0b6caaf3422a5b183d972568f869ebf
Instruction Fuzzy Hash: D6514831208204EFCB14EB24D889E6BBBE8FF85314F04892DF545972A2DB35E945CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00825A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00825A82
GetMenuItemCount.USER32(00000000), ref: 00825AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00825AE1
GetMenuItemID.USER32(?,?), ref: 00825B50
GetSubMenu.USER32(?,?), ref: 00825B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00825BAF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 938cf875a89b0d47fc132c2520f1fd4e1f67be9019fc69574472424eaf94b46a
Instruction ID: 7be7cf1dad6d468772170b1a891aaeeaae2783b8530564f2ffceb879ce8ec257
Opcode Fuzzy Hash: 938cf875a89b0d47fc132c2520f1fd4e1f67be9019fc69574472424eaf94b46a
Instruction Fuzzy Hash: C9514C35A40629EFCB11AF64D845AAEB7B4FF48320F108569E916F7251CB74AE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007FF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007FF3F7
VariantClear.OLEAUT32(00000013), ref: 007FF469
VariantClear.OLEAUT32(00000000), ref: 007FF4C4
_memmove.LIBCMT ref: 007FF4EE
VariantClear.OLEAUT32(?), ref: 007FF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007FF569

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 8a5e1848a236c88b577b26f04240f727c7454fe4c7dff8c231eb90a68ce4c0e5
Instruction ID: b41dca3ecbfaa1b25d9ddd2494fe91672a9e011bde759265075869fbbaa12586
Opcode Fuzzy Hash: 8a5e1848a236c88b577b26f04240f727c7454fe4c7dff8c231eb90a68ce4c0e5
Instruction Fuzzy Hash: E4516BB5A00209EFCB10DF58D884AAAB7B9FF4C314B158169EA59DB301D734E912CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008026F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00802747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00802792
IsMenu.USER32(00000000), ref: 008027B2
CreatePopupMenu.USER32 ref: 008027E6
GetMenuItemCount.USER32(000000FF), ref: 00802844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00802875

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 2bc7110075131a7ad03536fc18655ef5a5ef19f2b9f1827cf2c7669339124e0d
Instruction ID: 4c3e3581ee18fc50a62ccb3dee9ff6654ef820eec61701a612977b24667bbf24
Opcode Fuzzy Hash: 2bc7110075131a7ad03536fc18655ef5a5ef19f2b9f1827cf2c7669339124e0d
Instruction Fuzzy Hash: 79518C74A0020AEBDB65CF68CC8CAAEBBF5FF44314F148169E821DB2D1D7B08944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007A1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 007A179A
GetWindowRect.USER32(?,?), ref: 007A17FE
ScreenToClient.USER32(?,?), ref: 007A181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007A182C
EndPaint.USER32(?,?), ref: 007A1876

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 037aa63d259e8a14648bb5502777bd5b09da3037765dcf1d5a9042d1ace9e0f7
Instruction ID: 0d915f6fa6eefd87caea16d57d54b2c615b89b042fdc5feb693907757c530fee
Opcode Fuzzy Hash: 037aa63d259e8a14648bb5502777bd5b09da3037765dcf1d5a9042d1ace9e0f7
Instruction Fuzzy Hash: 74419D70500240AFD710DF24C884BBA7BF8FB8A734F044629F6A4872A2D7789845DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0082B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(008667B0,00000000,01234C08,?,?,008667B0,?,0082B862,?,?), ref: 0082B9CC
EnableWindow.USER32(00000000,00000000), ref: 0082B9F0
ShowWindow.USER32(008667B0,00000000,01234C08,?,?,008667B0,?,0082B862,?,?), ref: 0082BA50
ShowWindow.USER32(00000000,00000004,?,0082B862,?,?), ref: 0082BA62
EnableWindow.USER32(00000000,00000001), ref: 0082BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0082BAA9

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 799e3de0940a484ae9cb3a6719ba6bfa3dd0e0ec95875513f4408783f1863dc6
Instruction ID: d13af85b956e2e88fd0a9d2f0eddc39c4ac2bf724b126f0468c1531e069fbb4c
Opcode Fuzzy Hash: 799e3de0940a484ae9cb3a6719ba6bfa3dd0e0ec95875513f4408783f1863dc6
Instruction Fuzzy Hash: 68415130602261AFDB21CF14E489B957FE0FB05310F1881B9FA49DF6A2D731E886CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008173B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00815134,?,?,00000000,00000001), ref: 008173BF

Part of subcall function 00813C94: GetWindowRect.USER32(?,?), ref: 00813CA7

GetDesktopWindow.USER32 ref: 008173E9
GetWindowRect.USER32(00000000), ref: 008173F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00817422

Part of subcall function 008054E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0080555E

GetCursorPos.USER32(?), ref: 0081744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008174AC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: d5fd864bab950dfa5c8e43e9a710dd4664127cf1edfe9eb67f3f6c629a7fcd3c
Instruction ID: a225531489557669282ba82dbaaaa101e28d45ca0e5ac14e58f9922a5b430aec
Opcode Fuzzy Hash: d5fd864bab950dfa5c8e43e9a710dd4664127cf1edfe9eb67f3f6c629a7fcd3c
Instruction Fuzzy Hash: 6031C172508315ABD720DF14D849E9BBBA9FF88314F004929F589D7192C630EA89CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 007F8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007F8608
Part of subcall function 007F85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007F8612
Part of subcall function 007F85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007F8621
Part of subcall function 007F85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007F8628
Part of subcall function 007F85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007F863E

GetLengthSid.ADVAPI32(?,00000000,007F8977), ref: 007F8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007F8DB8
HeapAlloc.KERNEL32(00000000), ref: 007F8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 007F8DD8
GetProcessHeap.KERNEL32(00000000,00000000,007F8977), ref: 007F8DEC
HeapFree.KERNEL32(00000000), ref: 007F8DF3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: bfde6055a1dc3161c2a6a3af9bfb7334fe13378a97b7542bc1a294be5a5ce330
Instruction ID: 01cd753e62942e3c241310352c66bb7c9782a5f424412fa61cc9d0ad8600575c
Opcode Fuzzy Hash: bfde6055a1dc3161c2a6a3af9bfb7334fe13378a97b7542bc1a294be5a5ce330
Instruction Fuzzy Hash: 2B11E131600609FFDB648F64CC09BBE7779FF48315F10802AEA4597251CB399901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007F8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007F8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 007F8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007F8B40
CloseHandle.KERNEL32(00000004), ref: 007F8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007F8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 007F8B8E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6c7709d9cb70c6a6b08deac65451ddad67727fec59f000faf15c80cb72b370c9
Instruction ID: 6f2150a3068fd040a521167972068714a9098e3c7019a85d3fe26f28d9442118
Opcode Fuzzy Hash: 6c7709d9cb70c6a6b08deac65451ddad67727fec59f000faf15c80cb72b370c9
Instruction Fuzzy Hash: FC1147B250024DABDB118FA4ED49FEA7BB9FB08314F048065FF04A2261C7768D61EB61

Uniqueness

Uniqueness Score: -1.00%

Function 0082C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007A12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007A134D
Part of subcall function 007A12F3: SelectObject.GDI32(?,00000000), ref: 007A135C
Part of subcall function 007A12F3: BeginPath.GDI32(?), ref: 007A1373
Part of subcall function 007A12F3: SelectObject.GDI32(?,00000000), ref: 007A139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0082C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0082C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0082C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0082C1F6
EndPath.GDI32(00000000), ref: 0082C206
StrokePath.GDI32(00000000), ref: 0082C216

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1aca5af80fb5c5bcf99a70c42eb3d4d0cf8be77d2b469c7cdfebbe4b35e2c4b6
Instruction ID: c65753130a94259fc2e43e521968254c94b896185c6cf456fcbb8ae4e6409e9e
Opcode Fuzzy Hash: 1aca5af80fb5c5bcf99a70c42eb3d4d0cf8be77d2b469c7cdfebbe4b35e2c4b6
Instruction Fuzzy Hash: 2111FA7640014CBFDF129F90DC48EAA7FADFB04354F048025BA18861A2D7719D65DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007C03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 007C03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007C03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 007C0401

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e8417be18d06ccd8dc088b363afc351c8cc16c9d955d6959a4a68a9a14f910c3
Instruction ID: 18c440b4f69d0515324d732caef61ea85b39d855be75d0e0ece90238cb8cd69b
Opcode Fuzzy Hash: e8417be18d06ccd8dc088b363afc351c8cc16c9d955d6959a4a68a9a14f910c3
Instruction Fuzzy Hash: 3B016CB09027597DE3008F5A8C85B52FFB8FF19354F00411BA15C47942C7F5A868CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0080568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0080569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008056B1
GetWindowThreadProcessId.USER32(?,?), ref: 008056C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008056CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008056D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008056E0

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 55e61727246806824d73f79fcfbeb4ff570c9cd9048b8fd7cddafef028311f0d
Instruction ID: 151574a506365b003996fcec483283be885e98d96c9470ba8f669b118f329462
Opcode Fuzzy Hash: 55e61727246806824d73f79fcfbeb4ff570c9cd9048b8fd7cddafef028311f0d
Instruction Fuzzy Hash: 12F06D32241118BBE7315BA2DC0EEAB7B7CFBDAB11F004179FA00D109296A11A02C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 008074D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 008074E5
EnterCriticalSection.KERNEL32(?,?,007B1044,?,?), ref: 008074F6
TerminateThread.KERNEL32(00000000,000001F6,?,007B1044,?,?), ref: 00807503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,007B1044,?,?), ref: 00807510

Part of subcall function 00806ED7: CloseHandle.KERNEL32(00000000,?,0080751D,?,007B1044,?,?), ref: 00806EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00807523
LeaveCriticalSection.KERNEL32(?,?,007B1044,?,?), ref: 0080752A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a5ba85c583c9605ae8b62142f33388608c2acfee66ef2d1de03cb3d53410207a
Instruction ID: 64b2dcc18f74e1bf52bf97364fffb41a55f5f2bd8710148dec2bb45034fcea69
Opcode Fuzzy Hash: a5ba85c583c9605ae8b62142f33388608c2acfee66ef2d1de03cb3d53410207a
Instruction Fuzzy Hash: 74F05E3A540612EBDB621B64FD8D9EB773AFF46302B104531F302910B6DB755812CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007F8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007F8E7F
UnloadUserProfile.USERENV(?,?), ref: 007F8E8B
CloseHandle.KERNEL32(?), ref: 007F8E94
CloseHandle.KERNEL32(?), ref: 007F8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 007F8EA5
HeapFree.KERNEL32(00000000), ref: 007F8EAC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 96361f4d526cb948933754f9f325aedc05e92415932ae07a94755b03b94215ea
Instruction ID: 6a7a71bb1e7f07662b54f5c50f2b33a8904a55f23f1e7b9d411837f38bf3e78b
Opcode Fuzzy Hash: 96361f4d526cb948933754f9f325aedc05e92415932ae07a94755b03b94215ea
Instruction Fuzzy Hash: 30E0C236004001FBDA125FE1ED0C91ABB79FB89322B508230F31981171CB329432DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00818902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00818928
CharUpperBuffW.USER32(?,?), ref: 00818A37
VariantClear.OLEAUT32(?), ref: 00818BAF

Part of subcall function 00807804: VariantInit.OLEAUT32(00000000), ref: 00807844
Part of subcall function 00807804: VariantCopy.OLEAUT32(00000000,?), ref: 0080784D
Part of subcall function 00807804: VariantClear.OLEAUT32(00000000), ref: 00807859

Strings

AUTOIT.ERROR, xrefs: 00818A3D
Incorrect Parameter format, xrefs: 00818960, 00818B22

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 94cd021e4ebb4091017e85810d8e01d119c6e02f339c8881a79b19c77e89e99c
Instruction ID: feb2fe54c2b1be9af355962e67f7fcaba695a8b3d931cc34c0b79d51e4bcd4a7
Opcode Fuzzy Hash: 94cd021e4ebb4091017e85810d8e01d119c6e02f339c8881a79b19c77e89e99c
Instruction Fuzzy Hash: 60912771608305DFC710DF24C48599ABBE8FF89314F048A6EF99ACB262DB31E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00802F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007BFEC6: _wcscpy.LIBCMT ref: 007BFEE9

_memset.LIBCMT ref: 00803077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008030A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00803159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00803187

Strings

0, xrefs: 00803063

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: aa876d289de15aad6dc634135ed5071a7c68e5d068b03f27d39932bdc20f8216
Instruction ID: 278e72f99d318d793862f577373161a2097c333ff251628fe46a441eaf5ee7ab
Opcode Fuzzy Hash: aa876d289de15aad6dc634135ed5071a7c68e5d068b03f27d39932bdc20f8216
Instruction Fuzzy Hash: C851A031609301AAD7A59F28CC49A6BB7ECFF89354F044A2EF895D31D1DB74CA448792

Uniqueness

Uniqueness Score: -1.00%

Function 007FDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007FDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007FDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007FDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007FDB8E

Strings

DllGetClassObject, xrefs: 007FDB01

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 173b792759775415a1e9878dc79f1c4bef90c5bcaaeca36a1cc40804aa460324
Instruction ID: aa0123af8bd5a276f5852f52bd3eeeed6c191a761538c369c8cd7450118f2de4
Opcode Fuzzy Hash: 173b792759775415a1e9878dc79f1c4bef90c5bcaaeca36a1cc40804aa460324
Instruction Fuzzy Hash: 614160B1600208EFDB25CF54C884AAA7BBAFF44310F1581A9AE059F305D7B5DD45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00802C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00802CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00802CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00802D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00866890,00000000), ref: 00802D5A

Strings

0, xrefs: 00802CA4

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: c45cbe7aa5b573952199798821fb1708eb08269599b85a60b3cc49e4af458b02
Instruction ID: 468ed11487144b3112db74118ea093e0695225e37fd4080e1b7fbdef6e72d006
Opcode Fuzzy Hash: c45cbe7aa5b573952199798821fb1708eb08269599b85a60b3cc49e4af458b02
Instruction Fuzzy Hash: 32419D312053069FD764DF28CC48B1ABBA8FF85320F00466DE965D72D1D7B0E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0081DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0081DAD9

Part of subcall function 007A79AB: _memmove.LIBCMT ref: 007A79F9

Strings

cdecl, xrefs: 0081DB30
none, xrefs: 0081DBB4
stdcall, xrefs: 0081DB5B
winapi, xrefs: 0081DB4A

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 8f42a50a9de5a2efd445b37e0a27e075e43312a9349d96b47352fcd48c7b0750
Instruction ID: 26c2ccbff3f7159cc3b1f3c3717688596af509239e48ebf4745f098e9daccadd
Opcode Fuzzy Hash: 8f42a50a9de5a2efd445b37e0a27e075e43312a9349d96b47352fcd48c7b0750
Instruction Fuzzy Hash: 0A317371604619DBCF10DF54CC81AEEB7B8FF55320B108629E866D76D1DB35A94ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 007F9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 007FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007FB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007F93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007F9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 007F9439

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

Strings

ListBox, xrefs: 007F93B5
ComboBox, xrefs: 007F9380

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: fd354997be064dfba8138aee474fc32b82754193f7e0aacdb2c94863bed22d02
Instruction ID: 815f260774cb1fa7b78420cbaed1cd1343c8fd3fff99c9c62756bb85834c2ae3
Opcode Fuzzy Hash: fd354997be064dfba8138aee474fc32b82754193f7e0aacdb2c94863bed22d02
Instruction Fuzzy Hash: 2721D5B1A00108FEDB18AB64DC89DFFB778EF55350B108229FA25972E1DB3D4A4AD650

Uniqueness

Uniqueness Score: -1.00%

Function 00826656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007A1D73
Part of subcall function 007A1D35: GetStockObject.GDI32(00000011), ref: 007A1D87
Part of subcall function 007A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007A1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008266D0
LoadLibraryW.KERNEL32(?), ref: 008266D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008266EC
DestroyWindow.USER32(?), ref: 008266F4

Strings

SysAnimate32, xrefs: 008266AB

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ba3aa5eb4c62f8814369b9a70b635eed691d2b139f11de90964f7965b9201ab4
Instruction ID: 105befa2db7a3f359e8ea7b75018b571191a85f01936168ee01c1b115affd6a7
Opcode Fuzzy Hash: ba3aa5eb4c62f8814369b9a70b635eed691d2b139f11de90964f7965b9201ab4
Instruction Fuzzy Hash: 1E215B7120021AEFEF104E64FC84EBB77ADFB69768F104629FA11D21A0E7719CA19760

Uniqueness

Uniqueness Score: -1.00%

Function 0080703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0080705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00807091
GetStdHandle.KERNEL32(0000000C), ref: 008070A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008070DD

Strings

nul, xrefs: 008070D8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 660a87bad44bcc8b4503d614d665fc13d591779bc6e65836ea585aeeccbf1c8e
Instruction ID: 0b8d390e214d6ec2209cccd5984a6fda54187662a29310b19c0fd71000113e88
Opcode Fuzzy Hash: 660a87bad44bcc8b4503d614d665fc13d591779bc6e65836ea585aeeccbf1c8e
Instruction Fuzzy Hash: 7C218E74A04609ABDB609F28DC05A9A77B8FF55724F208B29FDA0D72D0E770A851CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0080710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0080712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0080715D
GetStdHandle.KERNEL32(000000F6), ref: 0080716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008071A8

Strings

nul, xrefs: 008071A3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3f1e0d2a1630040e9eb44cd13c81aefd24b5b9f8cc5a7e2fc205e21270901808
Instruction ID: 5cbbd62b30ede35c5cdb64ed58105e78ba5201e75d8ce72f3516f0fc2fddbf8e
Opcode Fuzzy Hash: 3f1e0d2a1630040e9eb44cd13c81aefd24b5b9f8cc5a7e2fc205e21270901808
Instruction Fuzzy Hash: E321A475A042059BDB609F689C05A9977A8FF55724F204619FDA0D32D0D770A851C751

Uniqueness

Uniqueness Score: -1.00%

Function 0080AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0080AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0080AF13
__swprintf.LIBCMT ref: 0080AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0082F910), ref: 0080AF6A

Strings

%lu, xrefs: 0080AF26

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b4ecc4629446458f61f7c6aa4e055bb80d9202512afc1ae431c68cd45898b511
Instruction ID: 613583268b9c8656381e9c548d9d86c84bb30248e10cd9c1abfeda8e5bb59c92
Opcode Fuzzy Hash: b4ecc4629446458f61f7c6aa4e055bb80d9202512afc1ae431c68cd45898b511
Instruction Fuzzy Hash: 69213275600209EFCB10DB54CD89DAE7BB8FF89704B108169F905EB352DA35EA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007FA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

Part of subcall function 007FA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007FA399
Part of subcall function 007FA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 007FA3AC
Part of subcall function 007FA37C: GetCurrentThreadId.KERNEL32 ref: 007FA3B3
Part of subcall function 007FA37C: AttachThreadInput.USER32(00000000), ref: 007FA3BA

GetFocus.USER32 ref: 007FA554

Part of subcall function 007FA3C5: GetParent.USER32(?), ref: 007FA3D3

GetClassNameW.USER32(?,?,00000100), ref: 007FA59D
EnumChildWindows.USER32(?,007FA615), ref: 007FA5C5
__swprintf.LIBCMT ref: 007FA5DF

Strings

%s%d, xrefs: 007FA5D9

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 86112ebf381abb22ccbf765964f335276b74587d2c9ca77920e8337c90c20ad4
Instruction ID: a36d83c2626f3bd2e9b522180477a75d865469a649fae4e7bf115e67bc24eb08
Opcode Fuzzy Hash: 86112ebf381abb22ccbf765964f335276b74587d2c9ca77920e8337c90c20ad4
Instruction Fuzzy Hash: F01190B1200209BBDF107F60DC89FBA37B8EF49700F048075BA0CAA252CA785945CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00802017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00802048

Strings

REMOVE, xrefs: 0080204E
KEYS, xrefs: 0080205F
APPEND, xrefs: 00802081
EXISTS, xrefs: 00802070

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 2dc1a779ab6a0f7510bc70731ef9751a797644bbdfdd8cf00bd57cc4aa35010f
Instruction ID: 1c7a1a39240845d6adbb9b65ebec7a7e6aababcb04639b8f7a15fadd0bea4911
Opcode Fuzzy Hash: 2dc1a779ab6a0f7510bc70731ef9751a797644bbdfdd8cf00bd57cc4aa35010f
Instruction Fuzzy Hash: 15115E30941609DFCF44EFB4D8959EEB7B4FF16304B108568D856A7292EB725E0ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0081EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0081EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0081EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0081F07E
CloseHandle.KERNEL32(?), ref: 0081F0FF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: b3f678e3cf6ecb2fa7504dc0148d5eb523e9d9e6fdc055e46d43df8feee89011
Instruction ID: 0ec46335f92444d21dff66d9e0987008e7daf37955b991e4230a9888777957e3
Opcode Fuzzy Hash: b3f678e3cf6ecb2fa7504dc0148d5eb523e9d9e6fdc055e46d43df8feee89011
Instruction Fuzzy Hash: B8815E71604700DFD720DF28C84AB6AB7E9EF88720F14892DFA95DB292DB74AC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008202C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 008210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00820038,?,?), ref: 008210BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00820388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008203C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0082040E
RegCloseKey.ADVAPI32(?,?), ref: 0082043A
RegCloseKey.ADVAPI32(00000000), ref: 00820447

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: d2b314dcca1f98985a0ca838382836208ded774e016b709d1f6ac51f30126f67
Instruction ID: 9a0e253ffad0c7638114c47244d1e18e1eb5847ff4ddc6c374beeaa6257ee05e
Opcode Fuzzy Hash: d2b314dcca1f98985a0ca838382836208ded774e016b709d1f6ac51f30126f67
Instruction Fuzzy Hash: 6B514A71208204EFD704EF64DC89E6EB7E8FF84718F04892DB695972A2DB34E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0081DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0081DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0081DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0081DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0081DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0081DD35

Part of subcall function 007A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00807B20,?,?,00000000), ref: 007A5B8C
Part of subcall function 007A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00807B20,?,?,00000000,?,?), ref: 007A5BB0

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 1d67f2e8bd44637ef79300855242c8d93957f12eb0b385313869f396b559a0d9
Instruction ID: c5b6beb42b72567e570390eb1017b10034bb1b6893052d1bd17e4fcb955a8e90
Opcode Fuzzy Hash: 1d67f2e8bd44637ef79300855242c8d93957f12eb0b385313869f396b559a0d9
Instruction Fuzzy Hash: 5A510875A00609DFCB00EF68C4889ADB7F8FF59320B14C569E915AB322DB34AD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0080E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0080E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0080E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0080E8F2

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0080E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0080E91F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: a53b1bba5ca92dc30832646b543b6df35290a826fcf3183c6943537bdb73641b
Instruction ID: a2d3dca480c28c09feb8dc4e3873275f6f37857af5fcb1e2633cdf43ab8bee4f
Opcode Fuzzy Hash: a53b1bba5ca92dc30832646b543b6df35290a826fcf3183c6943537bdb73641b
Instruction Fuzzy Hash: 76512835A00205EFCB11EF64C985AAEBBF5FF49310B1480A9E949AB362DB35ED51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0082A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17f1da314be2854379bbf21345080e3cc59467a174c380db6d05bc26f7a6b10
Instruction ID: 3a364df2d7ad46e67829558cc6e8907028fe98d093eda318011b9bdc53ccc78a
Opcode Fuzzy Hash: f17f1da314be2854379bbf21345080e3cc59467a174c380db6d05bc26f7a6b10
Instruction Fuzzy Hash: D841FF35900228AFC728DF28EC48FA9BBA8FF09310F154265F915E72E1D770AD81DA91

Uniqueness

Uniqueness Score: -1.00%

Function 007A2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007A2357
ScreenToClient.USER32(008667B0,?), ref: 007A2374
GetAsyncKeyState.USER32(00000001), ref: 007A2399
GetAsyncKeyState.USER32(00000002), ref: 007A23A7

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 635c56812399c66f41362606574cd1bd3e6afbc796dd9c8e5fb9172e177aecc8
Instruction ID: a1e1eff9be5acd0cccfa0c71c1bbd654ae54941e1e1f572f5b3a8e991d9153aa
Opcode Fuzzy Hash: 635c56812399c66f41362606574cd1bd3e6afbc796dd9c8e5fb9172e177aecc8
Instruction Fuzzy Hash: 3E41837150411AFBDF169FA8C848AEEBB74FF46320F20432AF92492291C7386995DF91

Uniqueness

Uniqueness Score: -1.00%

Function 007F6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007F695D
TranslateAcceleratorW.USER32(?,?,?), ref: 007F69A9
TranslateMessage.USER32(?), ref: 007F69D2
DispatchMessageW.USER32(?), ref: 007F69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007F69EB

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a9cc37f8d12aeba64ad470c4afab323d4e94300afeb6620e3292d1946e485a2b
Instruction ID: f273f2eb6b45c28ba36898b236012c377352e350f5dd28b08a4e52c8e4891d35
Opcode Fuzzy Hash: a9cc37f8d12aeba64ad470c4afab323d4e94300afeb6620e3292d1946e485a2b
Instruction Fuzzy Hash: 9C31F87150424AAADB20CF74CC44FB67BBCFB11304F10817DE621D72A1E7B9A899D790

Uniqueness

Uniqueness Score: -1.00%

Function 007F8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007F8F12
PostMessageW.USER32(?,00000201,00000001), ref: 007F8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007F8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 007F8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007F8FDA

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c2d7095a873d5c13c779d379d3397188204647685c58b65a99f12807d32fa663
Instruction ID: 9ea9eaa0437048ee9c997fe93d9fc5907318e546c432a07abfffd9fd149ec328
Opcode Fuzzy Hash: c2d7095a873d5c13c779d379d3397188204647685c58b65a99f12807d32fa663
Instruction Fuzzy Hash: 6331DC7150021DEFDB10CF68DD4CAAE7BB6FB04315F108229FA24AA2D1C7B49910CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007FB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 007FB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007FB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007FB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007FB742
_wcsstr.LIBCMT ref: 007FB74C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e80c87a9cca6bd3fb3a8b5c221bd06bd9ee9a6e6939226f67ce9c4351a07eca4
Instruction ID: 7eeaa4ab0b71a12f4cf6983fa34cf9e897da63352ae31e90070dc902c77afd6f
Opcode Fuzzy Hash: e80c87a9cca6bd3fb3a8b5c221bd06bd9ee9a6e6939226f67ce9c4351a07eca4
Instruction Fuzzy Hash: C121DD71204208FAEB255B35DC49E7B7BA9DF49710F10803EFE05C9251EB65DC41D660

Uniqueness

Uniqueness Score: -1.00%

Function 0082B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

GetWindowLongW.USER32(?,000000F0), ref: 0082B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0082B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0082B489
GetSystemMetrics.USER32(00000004), ref: 0082B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00811184,00000000), ref: 0082B4D0

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: f51f281e95a2fd0eecc2552af4f4d266541640cfa32dd10eb26e21e27db96240
Instruction ID: 8eb9a6a2f12def20bd97387f3d9747d16c8a3f7c96f500121877cc56c0394d7c
Opcode Fuzzy Hash: f51f281e95a2fd0eecc2552af4f4d266541640cfa32dd10eb26e21e27db96240
Instruction Fuzzy Hash: BA21A631511666AFCB20AF38EC84A6677A4FB05724F158734FD25D31E2E7309C91DB84

Uniqueness

Uniqueness Score: -1.00%

Function 007F97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007F9802

Part of subcall function 007A7D2C: _memmove.LIBCMT ref: 007A7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007F9834
__itow.LIBCMT ref: 007F984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007F9874
__itow.LIBCMT ref: 007F9885

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 3d6933c8e2175b571ffac69dc3246792fe047924b1a3c932c67964b56c315c02
Instruction ID: 3a28bfb77d8a5d1b58d66407893666e7001df1a3db8c00bb99ed6cdaec639c49
Opcode Fuzzy Hash: 3d6933c8e2175b571ffac69dc3246792fe047924b1a3c932c67964b56c315c02
Instruction Fuzzy Hash: A5218331B00208EBDB209A658C8AFFE7BA9EF8A750F044039FB05DB351E6788D45D791

Uniqueness

Uniqueness Score: -1.00%

Function 007A12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007A134D
SelectObject.GDI32(?,00000000), ref: 007A135C
BeginPath.GDI32(?), ref: 007A1373
SelectObject.GDI32(?,00000000), ref: 007A139C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 44e63dde3dcc9abe29bcf72d1fafcd922ef39d1dd5bc8b08e8a68d2b6dee32a7
Instruction ID: 1021d417b061def015036a09054f302a05b7a8da33d76e7d1532be7d9045d7d3
Opcode Fuzzy Hash: 44e63dde3dcc9abe29bcf72d1fafcd922ef39d1dd5bc8b08e8a68d2b6dee32a7
Instruction Fuzzy Hash: CE213C70800248EBEF119F25DC04BAD7BB8FB81322F558336E910975A1E7B599A2DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007FC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 007FC176
_memcmp.LIBCMT ref: 007FC194
_memcmp.LIBCMT ref: 007FC1A7
_memcmp.LIBCMT ref: 007FC1BF
_memcmp.LIBCMT ref: 007FC1D7

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5c766d870e61a057871cf525f96ce0ae1ccf1a6d2da53a58d0d5f52ca3c0a7a9
Instruction ID: 820d7eade9afd8a67824abd14fd8e603c0e08476acf7ecdf062b1d485380e6da
Opcode Fuzzy Hash: 5c766d870e61a057871cf525f96ce0ae1ccf1a6d2da53a58d0d5f52ca3c0a7a9
Instruction Fuzzy Hash: 2A0196F160410D7BD205A6245E56F7B635CEB513A4F444029FE14E6383EA5CEE21C2E1

Uniqueness

Uniqueness Score: -1.00%

Function 00804D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00804D5C
__beginthreadex.LIBCMT ref: 00804D7A
MessageBoxW.USER32(?,?,?,?), ref: 00804D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00804DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00804DAC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: f9ddf869fb397b9f32668bae1667dd127a81e2f808ce4e94984fd56cb9ae4520
Instruction ID: f722b03f4d26a3de02c79c308367d3a9c6bdf68629c22fa4c2b90f96a40d2ab0
Opcode Fuzzy Hash: f9ddf869fb397b9f32668bae1667dd127a81e2f808ce4e94984fd56cb9ae4520
Instruction Fuzzy Hash: 371104B2904249BBC7119BA8DC08A9B7FADFB45324F188369FE14D3391D6B58D548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007F874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007F8766
GetLastError.KERNEL32(?,007F822A,?,?,?), ref: 007F8770
GetProcessHeap.KERNEL32(00000008,?,?,007F822A,?,?,?), ref: 007F877F
HeapAlloc.KERNEL32(00000000,?,007F822A,?,?,?), ref: 007F8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007F879D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 2549620789798512b70fcd0d1f50ce5cf76ccf26a5917987d8411e6e3da55dc7
Instruction ID: a543a7dbcfc9b8ec45795424be8d38313ea1ee4e9e905bfa75454185e26e7df4
Opcode Fuzzy Hash: 2549620789798512b70fcd0d1f50ce5cf76ccf26a5917987d8411e6e3da55dc7
Instruction Fuzzy Hash: C7014BB1600208FFDB205FA6DC89D6B7BBCFF99755B204439FA49C6260DA318C12CA70

Uniqueness

Uniqueness Score: -1.00%

Function 008054E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00805502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00805510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00805518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00805522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0080555E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 72e86c4ee51dd4b991ca2ba64513adbd7dceef658b7a380ce09dbd3b3c56e4f4
Instruction ID: 685ad620c68d8b7fad79d3f4ea16682e15beeec2af63489f8f30f9bd21f48b89
Opcode Fuzzy Hash: 72e86c4ee51dd4b991ca2ba64513adbd7dceef658b7a380ce09dbd3b3c56e4f4
Instruction Fuzzy Hash: B8013975C00A1DDBCF109BE8EC496EEBB78FB09711F404066E901F2191DB309661CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007F7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?,?,?,007F799D), ref: 007F766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?,?), ref: 007F768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?,?), ref: 007F7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?), ref: 007F76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007F758C,80070057,?,?), ref: 007F76B4

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cb612f16a1bfb2dba0c5acf213c6eb566f96d34a3c9c6ad2b806ba5411ae1986
Instruction ID: f28d4fb0537aa6ba47efcdf96d108b5aff0f2b4ae5bc89f88573be504d915d89
Opcode Fuzzy Hash: cb612f16a1bfb2dba0c5acf213c6eb566f96d34a3c9c6ad2b806ba5411ae1986
Instruction Fuzzy Hash: E0017172601608ABDB249F5CDC48AAABBBDEB49761F144038FE04D2312E735DD41D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 007F85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007F8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007F8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007F8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007F8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007F863E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 487d3fd412b2dac378fe55f8cc15a703541add3e273991497786e719d9840990
Instruction ID: 271c5305ff0455976a03f32496f8812da7c80811206ba0308e52d4f3b3eb5b87
Opcode Fuzzy Hash: 487d3fd412b2dac378fe55f8cc15a703541add3e273991497786e719d9840990
Instruction Fuzzy Hash: C2F03C31205208AFEB214FA5DC89E7B3BACFF89754B444435FA45C6252CB659C42DA61

Uniqueness

Uniqueness Score: -1.00%

Function 007F8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007F8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007F8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007F8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007F8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007F869F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 08dcac769bc765e9d8f3ec833bb377ef16b85b9efefb5b7e2cb612922df32140
Instruction ID: 2ee3bc3ba0652879b0f0f9ea8109031d7c577e70c3248b0b952335ecea8ecc00
Opcode Fuzzy Hash: 08dcac769bc765e9d8f3ec833bb377ef16b85b9efefb5b7e2cb612922df32140
Instruction Fuzzy Hash: 15F04F71200208BFEB215FA5EC88E773BBCFF89754B104035FA45C6252CB759942DA61

Uniqueness

Uniqueness Score: -1.00%

Function 007FC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 007FC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 007FC6D1
MessageBeep.USER32(00000000), ref: 007FC6E9
KillTimer.USER32(?,0000040A), ref: 007FC705
EndDialog.USER32(?,00000001), ref: 007FC71F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 18554659602a47fd3674856aadf5212bd905070da9f0adb2f4b3d8b5aad0df3e
Instruction ID: 2a785e420992395ce942c6015678a50324f996e6b6eecd0fe628cbadd9003989
Opcode Fuzzy Hash: 18554659602a47fd3674856aadf5212bd905070da9f0adb2f4b3d8b5aad0df3e
Instruction Fuzzy Hash: 0F014F3050470CABEB316B60DD4EFA677B8FF10705F004669B752A15E1EBE8A959CE90

Uniqueness

Uniqueness Score: -1.00%

Function 007A13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007A13BF
StrokeAndFillPath.GDI32(?,?,007DBAD8,00000000,?), ref: 007A13DB
SelectObject.GDI32(?,00000000), ref: 007A13EE
DeleteObject.GDI32 ref: 007A1401
StrokePath.GDI32(?), ref: 007A141C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6f5a5b426f2be4d99de3edc86d608c8762633994b6bb8398f10ac1fbf4c889cb
Instruction ID: 4f5992135a77db5f0c52370203bbb95dc4dc865f9ee632b02665af1d7ad12a8a
Opcode Fuzzy Hash: 6f5a5b426f2be4d99de3edc86d608c8762633994b6bb8398f10ac1fbf4c889cb
Instruction Fuzzy Hash: E7F0C930004688EBEB225F2AED0CB583FB5B742326F55D234E929860F2D77949A6DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0080C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0080C69D
CoCreateInstance.OLE32(00832D6C,00000000,00000001,00832BDC,?), ref: 0080C6B5

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

CoUninitialize.OLE32 ref: 0080C922

Strings

.lnk, xrefs: 0080C631, 0080C659, 0080C663

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: ad03b69133c6d793f7af25dc0cf5fa94b103dfefe5ba77883879a586044aad09
Instruction ID: 5b3fc594f43502a0868f03ef97d406fb42a40cdd7f2278daa6ffcf383641fe99
Opcode Fuzzy Hash: ad03b69133c6d793f7af25dc0cf5fa94b103dfefe5ba77883879a586044aad09
Instruction Fuzzy Hash: 1BA11B71204205AFD700EF54C885EABB7E8FFD5704F008A29F256971A2EB75AA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007B2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 007C0FF6: std::exception::exception.LIBCMT ref: 007C102C
Part of subcall function 007C0FF6: __CxxThrowException@8.LIBCMT ref: 007C1041

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 007A7BB1: _memmove.LIBCMT ref: 007A7C0B

__swprintf.LIBCMT ref: 007B302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 007B2EC6

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 8a155c46aabd9ee738f094f2c3279b3a2ec216fea55884ee19410add7112a032
Instruction ID: 1bf7838bad70f42bb3fbedf1cdaf2f5e19cc4b8de6b1d8fbb0a22a8d4b5a63fa
Opcode Fuzzy Hash: 8a155c46aabd9ee738f094f2c3279b3a2ec216fea55884ee19410add7112a032
Instruction Fuzzy Hash: 52916F71108341DFC718EF24D989DAEB7A5EF99750F004A1DF4459B2A1EA38EE44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0080BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 007A48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007A48A1,?,?,007A37C0,?), ref: 007A48CE

CoInitialize.OLE32(00000000), ref: 0080BC26
CoCreateInstance.OLE32(00832D6C,00000000,00000001,00832BDC,?), ref: 0080BC3F
CoUninitialize.OLE32 ref: 0080BC5C

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

Strings

.lnk, xrefs: 0080BC08, 0080BC16

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 5e16796a7a57daf16a57051d075dc775a412206f23f679fa77a32cb3b010f0a2
Instruction ID: e7691714d89a8370eb37ae79f381bde7070ca90ef16d3063f76d493bf0fc4ae1
Opcode Fuzzy Hash: 5e16796a7a57daf16a57051d075dc775a412206f23f679fa77a32cb3b010f0a2
Instruction Fuzzy Hash: 2CA143752043019FCB10DF14C888D6ABBE5FF89314F148A98F9999B3A1CB35ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007C524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007C52DD

Part of subcall function 007D0340: __87except.LIBCMT ref: 007D037B

Strings

pow, xrefs: 007C52B5, 007C52D2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f352b5c98f49eee225cd2fcf71594e06db68cfa161a30863bb09a64b6970b6df
Instruction ID: 61cf69690d0873114eb2a2d7a051f039048bcb79453136dc2d6ace327fcb97fb
Opcode Fuzzy Hash: f352b5c98f49eee225cd2fcf71594e06db68cfa161a30863bb09a64b6970b6df
Instruction Fuzzy Hash: E45178A1A0CA41C7DB11B724C901B6E2BE0AB41350F246D5EE4C5823E6EF7EDCD49AC6

Uniqueness

Uniqueness Score: -1.00%

Function 007C023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 007C0277
#, xrefs: 007C0280

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 550aeb6d7dc1978460e5a5a15201b453451de3fb56a33e141728bbbae0dc5fa5
Instruction ID: af8bfc7d332650990089ceaa5ca6ba01a6849da5e30975549cc69c843ac735e0
Opcode Fuzzy Hash: 550aeb6d7dc1978460e5a5a15201b453451de3fb56a33e141728bbbae0dc5fa5
Instruction Fuzzy Hash: FF511275606689DFCF259F28C888AF97BA4FF56310F184059EA919B3A0D73C9C42C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 007B3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007B33D7
_memmove.LIBCMT ref: 007B3470
_free.LIBCMT ref: 007B3496
_memmove.LIBCMT ref: 007B3549

Strings

Oa{, xrefs: 007B3482

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa{
API String ID: 2620147621-1068949949
Opcode ID: fd18cba13a13dc34b4aa5dd9c1d7c5219fe000a0879f360c2d76466647116d7c
Instruction ID: ad5aefba1122b1dd8fb3bd6365fd5a2cb6b93dc0b391c80737221c41bfded7ff
Opcode Fuzzy Hash: fd18cba13a13dc34b4aa5dd9c1d7c5219fe000a0879f360c2d76466647116d7c
Instruction Fuzzy Hash: F2515A716083419FDB24CF28C485B6EBBE5BF89314F04492DE989C7351EB39E981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007B62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007B63A8
_memmove.LIBCMT ref: 007B6446
_memset.LIBCMT ref: 007B646A

Strings

ERCP, xrefs: 007B6313

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 62e1788313bc821bf566ff615242b64f710e792497ee3c6b104414cfdcb7517d
Instruction ID: b582e6ae60d9680e1b9116b2638360bf288ce7284e363243247518c83a832201
Opcode Fuzzy Hash: 62e1788313bc821bf566ff615242b64f710e792497ee3c6b104414cfdcb7517d
Instruction Fuzzy Hash: 62516D71900759DBDB24CF65C885BEABBE4FF04714F20856EEA4ACB241E7799684CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00827BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0082F910,00000000,?,?,?,?), ref: 00827C4E
GetWindowLongW.USER32 ref: 00827C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00827C7B

Strings

SysTreeView32, xrefs: 00827C20

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5475bc60395e010dd04b8f3b7c497520acad5659d4f4297e1e67105ff9712cea
Instruction ID: 9b4151deb34514c60f2ef65e172f175a00f150aa40f54f66a8b65ccda282d0eb
Opcode Fuzzy Hash: 5475bc60395e010dd04b8f3b7c497520acad5659d4f4297e1e67105ff9712cea
Instruction Fuzzy Hash: 3E31FC31204216ABDB218F38EC05BEA37A9FF59324F204725F975E32E0C734E8918B50

Uniqueness

Uniqueness Score: -1.00%

Function 00827648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008276D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008276E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00827708

Strings

SysMonthCal32, xrefs: 0082769B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7e552709f42077957a56d061f86395fbbf92ed033e134c4a5b820e583b7b4a31
Instruction ID: 373b856f49382a2d0c562aa4ede7fcbe7094f4fa8241237410f0f6e7f945eb1b
Opcode Fuzzy Hash: 7e552709f42077957a56d061f86395fbbf92ed033e134c4a5b820e583b7b4a31
Instruction Fuzzy Hash: D621BF32600229BBDF258E64DC46FEA3B79FB58714F110214FE15AB1D0D6B1A891CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00826F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00826FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00826FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00826FDF

Strings

Listbox, xrefs: 00826F77

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9ef7e29c0d793b9b782826c0073343346687a8f3833d7fd6b58d387f0290c513
Instruction ID: 35f630dcdf0fa684dd74e6cc3e39f833c70e626ff4dbe4bd46f14f516d46834f
Opcode Fuzzy Hash: 9ef7e29c0d793b9b782826c0073343346687a8f3833d7fd6b58d387f0290c513
Instruction Fuzzy Hash: 10219532611128BFDF158F54EC85EAB37AAFF89754F018124FA14D7190DA719CA1C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0082797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008279E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008279F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00827A03

Strings

msctls_trackbar32, xrefs: 008279B8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6e83b2b4e3600c2a822cd7543f3312b6b434b61499bbc3fd603c34d111e04104
Instruction ID: e91bc9ec4989bc039988a5b07bf517df642dde861a206c0abaefbde9f0418dc7
Opcode Fuzzy Hash: 6e83b2b4e3600c2a822cd7543f3312b6b434b61499bbc3fd603c34d111e04104
Instruction Fuzzy Hash: 7D11E332244218BBEF249F75DC05FAB3BA9FF89764F024629FA41A6091D2719891CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007A4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007A4C2E), ref: 007A4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007A4CB5

Strings

GetNativeSystemInfo, xrefs: 007A4CAF
kernel32.dll, xrefs: 007A4C9E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 33b2c56891e2308dbb5be4c2f86e9cfa1efec83d6b7076a3c5a1c3c13308c3b6
Instruction ID: 597d53af567886ea4d48403cf7b8356f91022bfb11db8c7a5c34f834b34bb6dd
Opcode Fuzzy Hash: 33b2c56891e2308dbb5be4c2f86e9cfa1efec83d6b7076a3c5a1c3c13308c3b6
Instruction Fuzzy Hash: 78D01730510723CFD7209F31EA1860676F5BF46BA1B11C83EA99AD6251E6B8D8C1CA60

Uniqueness

Uniqueness Score: -1.00%

Function 007A4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007A4D2E,?,007A4F4F,?,008662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007A4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007A4D81

Strings

kernel32.dll, xrefs: 007A4D6A
Wow64DisableWow64FsRedirection, xrefs: 007A4D7B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: d89e7aceb23f3f6d6918e685cb231f7de5dee1e25de64a23fe24e6c27eb5a874
Instruction ID: b340835a8bb791c72a5e2392745f17d8a857dca25eb81e8825971d0bf0b385e5
Opcode Fuzzy Hash: d89e7aceb23f3f6d6918e685cb231f7de5dee1e25de64a23fe24e6c27eb5a874
Instruction Fuzzy Hash: 83D01730610723CFD7319F31E80861676E8BF56762B51C93AAA96DA290E6B9D880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 007A4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007A4CE1,?), ref: 007A4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007A4DB4

Strings

kernel32.dll, xrefs: 007A4D9D
Wow64RevertWow64FsRedirection, xrefs: 007A4DAE

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 8366fc3017c4ac54f63d2e56ccd8274f8df418b55fb78f5881a81a258d5a0512
Instruction ID: 4a0ca99ac789161cf4591b9e7a12cf859656f806fc69019650d5ef6c4b3f157e
Opcode Fuzzy Hash: 8366fc3017c4ac54f63d2e56ccd8274f8df418b55fb78f5881a81a258d5a0512
Instruction Fuzzy Hash: 50D01231650713DFD7305F31D80864676E4FF45755B11C839D9D6D6250D7B8D481C650

Uniqueness

Uniqueness Score: -1.00%

Function 00821072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,008212C1), ref: 00821080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00821092

Strings

advapi32.dll, xrefs: 0082107B
RegDeleteKeyExW, xrefs: 0082108C

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: ebff379fdbb3f57565cc64b8d1734cc8607f1e6ef29108f7284a4f07d579a928
Instruction ID: 2ade85a0e1ef144c84db680f65eff10a445abbe626f5299abc731caca19c7d8c
Opcode Fuzzy Hash: ebff379fdbb3f57565cc64b8d1734cc8607f1e6ef29108f7284a4f07d579a928
Instruction Fuzzy Hash: 3AD01230510722CFDB305F75D81852676F4FF25752F11CC39A895D6650D774C4C0C650

Uniqueness

Uniqueness Score: -1.00%

Function 008193F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00819009,?,0082F910), ref: 00819403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00819415

Strings

kernel32.dll, xrefs: 008193FE
GetModuleHandleExW, xrefs: 0081940F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9b475176a2ce4fe1154f6cb1cf0377169578b7469f6f4adc82fcc097c7b1fed4
Instruction ID: 955c54ecf8c69a08d910bec437e685dfadcebf59c2a7d5b97366478263c7f3b1
Opcode Fuzzy Hash: 9b475176a2ce4fe1154f6cb1cf0377169578b7469f6f4adc82fcc097c7b1fed4
Instruction Fuzzy Hash: ABD0C730500323CFC7308F30DA0824376E8FF08352B00C83AE9D2C2651E674E8C0CA10

Uniqueness

Uniqueness Score: -1.00%

Function 007E1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 007E1B42
__swprintf.LIBCMT ref: 007E1B73

Strings

%.3d, xrefs: 007E1B4D
WIN_XPe, xrefs: 007E1BB2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 6dfda8cb4b7f9bd419b0fb2e4d748bf0a610f19aeca18561e59aaf0d13bc2d18
Instruction ID: bb2eb61b7f011795eea6a00fa61486f34b8b32877e6229c079c3d3c22389d340
Opcode Fuzzy Hash: 6dfda8cb4b7f9bd419b0fb2e4d748bf0a610f19aeca18561e59aaf0d13bc2d18
Instruction Fuzzy Hash: 3AD012F5805159EACB599A918C46DFA737CF70C301F9046D2B902D1000F33C9B85DB25

Uniqueness

Uniqueness Score: -1.00%

Function 007F76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aacb962402a2ebd28b9874a6a02dbd2b19bfa2d61515584458efaf829796f6
Instruction ID: fba7a3dfa5917ca83ee6590d6d816ea7240c529513712ad346006fbfdf0bd3d2
Opcode Fuzzy Hash: 50aacb962402a2ebd28b9874a6a02dbd2b19bfa2d61515584458efaf829796f6
Instruction Fuzzy Hash: F8C15C74A0421AEFCB18DFA8C884ABEB7B5FF48710B118598E905EB351D774ED81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0081E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0081E3D2
CharLowerBuffW.USER32(?,?), ref: 0081E415

Part of subcall function 0081DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0081DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0081E615
_memmove.LIBCMT ref: 0081E628

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 40cc3cd1726a7738e7c159c0bcc4d6f7a3ef880ebeb390814f0de35cffaee990
Instruction ID: 192e8088da97c4efa070227583a90ea3222a2b8dda76e2f04e2c3f5d06a71b6e
Opcode Fuzzy Hash: 40cc3cd1726a7738e7c159c0bcc4d6f7a3ef880ebeb390814f0de35cffaee990
Instruction Fuzzy Hash: B9C125716083019FC714DF28C48099ABBE9FF89718F14896DF999DB351D734E986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 008183A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008183D8
CoUninitialize.OLE32 ref: 008183E3

Part of subcall function 007FDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007FDAC5

VariantInit.OLEAUT32(?), ref: 008183EE
VariantClear.OLEAUT32(?), ref: 008186BF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f8421208097831d76e044f2786a27ead21dae5552db1e44f888f21285fc4bb29
Instruction ID: 01d96ca5a138bbd864965bc80170ea885ff2caa63f69537d9c3f88e8e0569bfa
Opcode Fuzzy Hash: f8421208097831d76e044f2786a27ead21dae5552db1e44f888f21285fc4bb29
Instruction Fuzzy Hash: 3CA14775204701DFCB10DF24C48AA5AB7E9FF89314F048559FA9A9B3A1CB34ED50CB86

Uniqueness

Uniqueness Score: -1.00%

Function 007F7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00832C7C,?), ref: 007F7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00832C7C,?), ref: 007F7C4A
CLSIDFromProgID.OLE32(?,?,00000000,0082FB80,000000FF,?,00000000,00000800,00000000,?,00832C7C,?), ref: 007F7C6F
_memcmp.LIBCMT ref: 007F7C90

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f6e9bb558e0c254f1fa3e0bca8a67472fad1ba2b4b376a05d0baaa1ee235ec42
Instruction ID: 7ac8a54ce0403264d4896a65d64bcafb0f482abb1b41e1663dffe49ee51f92f5
Opcode Fuzzy Hash: f6e9bb558e0c254f1fa3e0bca8a67472fad1ba2b4b376a05d0baaa1ee235ec42
Instruction Fuzzy Hash: E2810C71A00109EFCB04DF94C988DEEB7B9FF89315F2045A8E615AB250DB75AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007F6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007F6E04
SysAllocString.OLEAUT32(00000000), ref: 007F6EAD
VariantCopy.OLEAUT32 ref: 007F6EDC
VariantClear.OLEAUT32(?), ref: 007F6F03

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 95ee3737a3cf84fadac5e27b27928a0e04c8f39dbcb048380e03a5eb97a11868
Instruction ID: d9b2ff3abdadcb1f85dd28107ecc6e871bb26eb553b87fbcd10e1b46592c78c4
Opcode Fuzzy Hash: 95ee3737a3cf84fadac5e27b27928a0e04c8f39dbcb048380e03a5eb97a11868
Instruction Fuzzy Hash: 9351BB35604309DADB34AF65D895A3EB3E5AF45320F20882FE756CB391EF789880DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00829A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0123EC98,?), ref: 00829AD2
ScreenToClient.USER32(00000002,00000002), ref: 00829B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00829B72

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 42f6958bc300eeac8c4d808f0029370429e9a7ece80ed147e39a2982a1c08c95
Instruction ID: ace1cf75b0d231e427bc1d0d9aec3ee34e059306ccd02a20a757dd44ea51c566
Opcode Fuzzy Hash: 42f6958bc300eeac8c4d808f0029370429e9a7ece80ed147e39a2982a1c08c95
Instruction Fuzzy Hash: 47515334A00269EFCF10CF68E8819AE7BB5FF55320F108269F955DB290D730AD91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00816CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00816CE4
WSAGetLastError.WSOCK32(00000000), ref: 00816CF4

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00816D58
WSAGetLastError.WSOCK32(00000000), ref: 00816D64

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 2059c75feb56f274d71945711245351d42e6ff0c89ade9ea0e764b57d51b2522
Instruction ID: 23a7c8b563f76dfdfbb014dc18cc1feac7a79e4fba99b20ecb192b333f4bf355
Opcode Fuzzy Hash: 2059c75feb56f274d71945711245351d42e6ff0c89ade9ea0e764b57d51b2522
Instruction Fuzzy Hash: D3418174740200EFEB20AF24DC8AF7A76A9EF85B14F44C118FA599B2D2DA759C118791

Uniqueness

Uniqueness Score: -1.00%

Function 0081672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0082F910), ref: 008167BA
_strlen.LIBCMT ref: 008167EC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 634ad0fc660232f6e0febe2fc486f5963a9e5118c43591b022e75f7e6dfc5e00
Instruction ID: c5b30d3dddbafdfb249b9a2866936f1d72afee729f35e4e8c7151db3ab6661b8
Opcode Fuzzy Hash: 634ad0fc660232f6e0febe2fc486f5963a9e5118c43591b022e75f7e6dfc5e00
Instruction Fuzzy Hash: 86416F71A00104EBCB14EB64DCC9EEEB7ADFF45314F148269F91997292EB34AD90C751

Uniqueness

Uniqueness Score: -1.00%

Function 0080BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0080BB09
GetLastError.KERNEL32(?,00000000), ref: 0080BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0080BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0080BB80

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 878499c6e8c80402fd9656487f40b1c072db70258dec4c6d5d5be16c65f92116
Instruction ID: 78e3a5e45cc02f5f61041b802e89b3cfc21a913cfa4f078525f3c5127e89a4e3
Opcode Fuzzy Hash: 878499c6e8c80402fd9656487f40b1c072db70258dec4c6d5d5be16c65f92116
Instruction Fuzzy Hash: 6741F939200610DFCB21DF15C589A5ABBE5FF8A320B198499FD4A9B762CB34FD11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00828AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00828B4D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6eb4022161017916b557871e77791a72cdc571811e0e86dd95fdc4f2681a84fc
Instruction ID: 02f8786a664b01ed4176f9cc3c9057e6d7955bb0585cdda580e147f771013ba1
Opcode Fuzzy Hash: 6eb4022161017916b557871e77791a72cdc571811e0e86dd95fdc4f2681a84fc
Instruction Fuzzy Hash: 0D31D674602228FFEF209E18EC45FA93765FB09334F54852AFA51D72A1DE3099D0DA41

Uniqueness

Uniqueness Score: -1.00%

Function 0082ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0082AE1A
GetWindowRect.USER32(?,?), ref: 0082AE90
PtInRect.USER32(?,?,0082C304), ref: 0082AEA0
MessageBeep.USER32(00000000), ref: 0082AF11

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b87c8446894465bc2b78ac6dce8be5d98aa5272794afbea474303b27559c3a2c
Instruction ID: 033260569dfa12a953afaa8e37ec4039df27cc3253f0b4b5f0b619d40e5c328d
Opcode Fuzzy Hash: b87c8446894465bc2b78ac6dce8be5d98aa5272794afbea474303b27559c3a2c
Instruction Fuzzy Hash: DF419174600229DFCB15CF68E884B69BBF5FF88350F1681B9E514DB255D731A882CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00800FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00801037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00801053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008010B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0080110B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: efe1195c14cbcba8c3b179ce1e80c3f5ec3610651035fcf9247dca0fc0e4cb76
Instruction ID: 30472cafec6946bc1895c0ad8f5f0a420993983e5b45d1948c9a93cbb62f9267
Opcode Fuzzy Hash: efe1195c14cbcba8c3b179ce1e80c3f5ec3610651035fcf9247dca0fc0e4cb76
Instruction Fuzzy Hash: 50311630A40A88AEFF748B698C0DBF9BBA9FB45330F44422AE5C0D21D1C77549C19B56

Uniqueness

Uniqueness Score: -1.00%

Function 00801121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00801176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00801192
PostMessageW.USER32(00000000,00000101,00000000), ref: 008011F1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00801243

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a72ade4276b3cd674e6f674dabadc72b7bdc8d900a357af7115b43119268f478
Instruction ID: a1ac5a97c7a6a0395022eda9a3c4bdc0fbd724f60f4ee8299adf796e83771421
Opcode Fuzzy Hash: a72ade4276b3cd674e6f674dabadc72b7bdc8d900a357af7115b43119268f478
Instruction Fuzzy Hash: F6310730A4060C5EEF78CA698C0D7FABBBAFB49334F04531BE680D21D1C33449959755

Uniqueness

Uniqueness Score: -1.00%

Function 007D6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007D644B
__isleadbyte_l.LIBCMT ref: 007D6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007D64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007D64DD

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 71ee5b12fcaf2ca71b80ac9c082e39d999c2e91e0afbebe957275124c2ae7afa
Instruction ID: a68af4d8ca543010c7ffddf3949bec8edfb61b00ab6445b0317d01b40352fd74
Opcode Fuzzy Hash: 71ee5b12fcaf2ca71b80ac9c082e39d999c2e91e0afbebe957275124c2ae7afa
Instruction Fuzzy Hash: AD31CF31600286EFDB218F65C845BAA7BB5FF40350F15842AE855872A1EB39DA91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00825175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00825189

Part of subcall function 0080387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00803897
Part of subcall function 0080387D: GetCurrentThreadId.KERNEL32 ref: 0080389E
Part of subcall function 0080387D: AttachThreadInput.USER32(00000000,?,008052A7), ref: 008038A5

GetCaretPos.USER32(?), ref: 0082519A
ClientToScreen.USER32(00000000,?), ref: 008251D5
GetForegroundWindow.USER32 ref: 008251DB

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4351d4923a61ea881f1553d178f1ce9d830d0c9b969eb19051129bd212e68048
Instruction ID: 42b652128cb069b2ea03f1da8ee39af01871b3f9fbaa950e8951ba2ca604ad0b
Opcode Fuzzy Hash: 4351d4923a61ea881f1553d178f1ce9d830d0c9b969eb19051129bd212e68048
Instruction Fuzzy Hash: F8313E71A00108AFDB10EFA5CC859EFB7FDEF99300F10806AE515E7251EA759E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

GetCursorPos.USER32(?), ref: 0082C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007DBBFB,?,?,?,?,?), ref: 0082C7D7
GetCursorPos.USER32(?), ref: 0082C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007DBBFB,?,?,?), ref: 0082C85E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6b6fb1d6e704fe2c8dd365095a514ee716ba1bf6f8fd49dd7c3dee2093f9491b
Instruction ID: ac12db7a3a6c869019f470e9e404aa4a327b31f9fb8d5c22a0572f3670ce6963
Opcode Fuzzy Hash: 6b6fb1d6e704fe2c8dd365095a514ee716ba1bf6f8fd49dd7c3dee2093f9491b
Instruction Fuzzy Hash: 74316F35600028AFCB25CF58D898EFE7BBAFB49310F048179F905CB261D73599A1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007C0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 007C0BF2

Part of subcall function 007A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00807B20,?,?,00000000), ref: 007A5B8C
Part of subcall function 007A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00807B20,?,?,00000000,?,?), ref: 007A5BB0

_fprintf.LIBCMT ref: 007C0C29
OutputDebugStringW.KERNEL32(?), ref: 007F6331

Part of subcall function 007C4CDA: _flsall.LIBCMT ref: 007C4CF3

__setmode.LIBCMT ref: 007C0C5E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 9aa4674cd00deda93d569f859bd53950057fe81bb6d008b1a7ab75b28b6e5a1d
Instruction ID: bf591c3d5f3945044a3088a4246d3f61fb65ca0db1afb5f3ba5474d57cb32c05
Opcode Fuzzy Hash: 9aa4674cd00deda93d569f859bd53950057fe81bb6d008b1a7ab75b28b6e5a1d
Instruction Fuzzy Hash: 8811E731904208FACB14B7B49C4AEFE7B6DEF82320F14421DF204971D2DE695D9697E5

Uniqueness

Uniqueness Score: -1.00%

Function 007F8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007F8669
Part of subcall function 007F8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007F8673
Part of subcall function 007F8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007F8682
Part of subcall function 007F8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007F8689
Part of subcall function 007F8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007F869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007F8BEB
_memcmp.LIBCMT ref: 007F8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007F8C44
HeapFree.KERNEL32(00000000), ref: 007F8C4B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6f04e1533ec2b9ce1f2e92c7d5bf005ecfbd05a2d0de99487b53fd13401cd70c
Instruction ID: 90e96cf817dd237c7a8074d7f1a97b72431742b6f20b6654f30c53d8f3dcb89b
Opcode Fuzzy Hash: 6f04e1533ec2b9ce1f2e92c7d5bf005ecfbd05a2d0de99487b53fd13401cd70c
Instruction Fuzzy Hash: AB218D71D0120CEBCB10CF94C945BBEB7B8EF40354F1440A9E654A7241DB34AA06DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00811A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00811A97

Part of subcall function 00811B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00811B40
Part of subcall function 00811B21: InternetCloseHandle.WININET(00000000), ref: 00811BDD

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 935ba4c58cc9c33e8bd84add98f68dcb7f656dace24f971baacb19b24494a71d
Instruction ID: 75b8eb7ca35a81e3b62ca3d1d90a42de482c5f09eddb2f62dc802170e1ffa445
Opcode Fuzzy Hash: 935ba4c58cc9c33e8bd84add98f68dcb7f656dace24f971baacb19b24494a71d
Instruction Fuzzy Hash: 2D21AC35204604BFDB219F608C09FFABBBDFF48B10F10402AFA41D6651EB31A861DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007FE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007FF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007FE1C4,?,?,?,007FEFB7,00000000,000000EF,00000119,?,?), ref: 007FF5BC
Part of subcall function 007FF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 007FF5E2
Part of subcall function 007FF5AD: lstrcmpiW.KERNEL32(00000000,?,007FE1C4,?,?,?,007FEFB7,00000000,000000EF,00000119,?,?), ref: 007FF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,007FEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 007FE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 007FE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,007FEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 007FE237

Strings

cdecl, xrefs: 007FE22E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f9a14ab3af6c7cecc5a39ad33d60f76087f15969e0ec89a98e43efe7ac132d0c
Instruction ID: 14241d366d2c944de5ba89d6518255314f21f8fcb2b5e810c8a7cc1e617f6395
Opcode Fuzzy Hash: f9a14ab3af6c7cecc5a39ad33d60f76087f15969e0ec89a98e43efe7ac132d0c
Instruction Fuzzy Hash: 55117F36200349EFCB25AF64D849E7A77B8FF85350B40802AEA16CB260FB759851D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 007D5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007D5351

Part of subcall function 007C594C: __FF_MSGBANNER.LIBCMT ref: 007C5963
Part of subcall function 007C594C: __NMSG_WRITE.LIBCMT ref: 007C596A
Part of subcall function 007C594C: RtlAllocateHeap.NTDLL(01220000,00000000,00000001,00000000,?,?,?,007C1013,?), ref: 007C598F

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 843296ed7c3ce7c85f606d236a7e4187847b517dc14221006359c9f53cde1a8b
Instruction ID: d242e9b3d73db81710979706b3b884eec1ebd091a97cf0d1fbc8f2fd94cb5095
Opcode Fuzzy Hash: 843296ed7c3ce7c85f606d236a7e4187847b517dc14221006359c9f53cde1a8b
Instruction Fuzzy Hash: 9111C132504A15EFCB312F70AC08B5D3BB8AF147E4F20452FF9059A291DFBD89418790

Uniqueness

Uniqueness Score: -1.00%

Function 007A4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A4560

Part of subcall function 007A410D: _memset.LIBCMT ref: 007A418D
Part of subcall function 007A410D: _wcscpy.LIBCMT ref: 007A41E1
Part of subcall function 007A410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007A41F1

KillTimer.USER32(?,00000001,?,?), ref: 007A45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007A45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007DD6CE

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: ced546dfc9e574750fcaa7587197f6b67b1aca59e8173464d5ceefed78cd3b2d
Instruction ID: 1b187b24cdcd875dc1b17c46e14a1b9f8bcc6d6390541afafe13a9c851371be2
Opcode Fuzzy Hash: ced546dfc9e574750fcaa7587197f6b67b1aca59e8173464d5ceefed78cd3b2d
Instruction Fuzzy Hash: 1E21DA70904784AFEB328B24D855BE7BFFCAF41304F04009EE69D56241D7B95E85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0081667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00807B20,?,?,00000000), ref: 007A5B8C
Part of subcall function 007A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00807B20,?,?,00000000,?,?), ref: 007A5BB0

gethostbyname.WSOCK32(?,?,?), ref: 008166AC
WSAGetLastError.WSOCK32(00000000), ref: 008166B7
_memmove.LIBCMT ref: 008166E4
inet_ntoa.WSOCK32(?), ref: 008166EF

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: f27b06cbc584894c64ebb4cd36030ded5462b1075e923c020b10fa45d9bbe0f9
Instruction ID: cd415bbf08da9ded1d3ea2006a6c0cdfe5664561e957cbc15b66fa59dd7955e9
Opcode Fuzzy Hash: f27b06cbc584894c64ebb4cd36030ded5462b1075e923c020b10fa45d9bbe0f9
Instruction Fuzzy Hash: 84114F75500509EBCB00EBA4D98ADEEB7B8FF55310B148175F602A7262EB34AE54CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007F9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 007F9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007F9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007F906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 007F9086

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 09e542923b0b1b05b2058f5c1a724aba4013c2e04f87586cf2b853bf7d8cfd80
Instruction ID: 2e5070b8d535424a9c18d0aa04fce850cdb6080ba4cef7dca9fc136cc5a0b292
Opcode Fuzzy Hash: 09e542923b0b1b05b2058f5c1a724aba4013c2e04f87586cf2b853bf7d8cfd80
Instruction Fuzzy Hash: 2A114C79900219FFDB10DFA5C884FADBB74FB48310F2040A5EA04B7250DA726E10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007A1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 007A2612: GetWindowLongW.USER32(?,000000EB), ref: 007A2623

DefDlgProcW.USER32(?,00000020,?), ref: 007A12D8
GetClientRect.USER32(?,?), ref: 007DB84B
GetCursorPos.USER32(?), ref: 007DB855
ScreenToClient.USER32(?,?), ref: 007DB860

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 11f6105afe4d084920f70b5d55d165086e71cafaee8deadc791d4c62e3566ea5
Instruction ID: 8d4105b022faabbf8ac436f8632ec66895e96909a797678abdc33c37f6025a57
Opcode Fuzzy Hash: 11f6105afe4d084920f70b5d55d165086e71cafaee8deadc791d4c62e3566ea5
Instruction Fuzzy Hash: C8115B35600019EFDB10DF98D989AEE77B8FB46300F404565FA01E3181C734AA52CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00801652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008001FD,?,00801250,?,00008000), ref: 0080166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,008001FD,?,00801250,?,00008000), ref: 00801694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008001FD,?,00801250,?,00008000), ref: 0080169E
Sleep.KERNEL32(?,?,?,?,?,?,?,008001FD,?,00801250,?,00008000), ref: 008016D1

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: fe2b41e89dfbfb9a397484f15590dff6887f60963f769c08996193d488db79ec
Instruction ID: 4dbb27b390e97fffdf9ae6500356e0db133d514023762c57bb7bfb40569271de
Opcode Fuzzy Hash: fe2b41e89dfbfb9a397484f15590dff6887f60963f769c08996193d488db79ec
Instruction Fuzzy Hash: 14115731C0552DEBCF009FA5DC48AEEBB78FF29721F448069EA50F2280CB319561CB96

Uniqueness

Uniqueness Score: -1.00%

Function 007D7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 007D722B

Part of subcall function 007D7912: __fltout2.LIBCMT ref: 007D793B

__cftog_l.LIBCMT ref: 007D7251
__cftoe_l.LIBCMT ref: 007D7283

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: aac2b5a614f4b2f6150edf416ddb07edddefb0af14f2290379c4e365ea749879
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5401433604418AFBCF1A5E84CC458EE3F72BF59351B588516FA1858231E23BD971EB81

Uniqueness

Uniqueness Score: -1.00%

Function 0082B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0082B59E
ScreenToClient.USER32(?,?), ref: 0082B5B6
ScreenToClient.USER32(?,?), ref: 0082B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0082B5F5

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4d666b745877e48ee326f8456eb2aa3b7439322e48a17710152ab047a45c6b20
Instruction ID: 87947145c617110bba01c26a7a36d5426c00a928c53160e3add6e0eed8c688e6
Opcode Fuzzy Hash: 4d666b745877e48ee326f8456eb2aa3b7439322e48a17710152ab047a45c6b20
Instruction Fuzzy Hash: 6A1143B9D00209EFDB51CFA9D9849EEFBB9FB18310F108166E914E3620D735AA55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0082B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0082B8FE
_memset.LIBCMT ref: 0082B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00867F20,00867F64), ref: 0082B93C
CloseHandle.KERNEL32 ref: 0082B94E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: edb747743b8d1c9c18766007e40f38e869bcf43d344b4ec208d8e4791361fbcf
Instruction ID: 7b096132d11e6cd7928c61210e3e370a9d9420eff865808e2e42cc49b418dcd6
Opcode Fuzzy Hash: edb747743b8d1c9c18766007e40f38e869bcf43d344b4ec208d8e4791361fbcf
Instruction Fuzzy Hash: 88F05EB2554310BBF21067A1AC1AFBB3B5CFB09358F015034FB08E5292DBB6490087E8

Uniqueness

Uniqueness Score: -1.00%

Function 00806E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00806E88

Part of subcall function 0080794E: _memset.LIBCMT ref: 00807983

_memmove.LIBCMT ref: 00806EAB
_memset.LIBCMT ref: 00806EB8
LeaveCriticalSection.KERNEL32(?), ref: 00806EC8

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: df79d3ade17527f548f097000412526d307f8259210e6da4231c2bb51f7fc6f3
Instruction ID: 41ff33b993dae3d16dc8a1fd3592249d3ed60603886410bf3a0c28dd705c0997
Opcode Fuzzy Hash: df79d3ade17527f548f097000412526d307f8259210e6da4231c2bb51f7fc6f3
Instruction Fuzzy Hash: 54F0303A100200EBCF516F55DC85E89BB2AFF45321B04C065FE089E25BC735A951CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0082C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007A12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007A134D
Part of subcall function 007A12F3: SelectObject.GDI32(?,00000000), ref: 007A135C
Part of subcall function 007A12F3: BeginPath.GDI32(?), ref: 007A1373
Part of subcall function 007A12F3: SelectObject.GDI32(?,00000000), ref: 007A139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0082C030
LineTo.GDI32(00000000,?,?), ref: 0082C03D
EndPath.GDI32(00000000), ref: 0082C04D
StrokePath.GDI32(00000000), ref: 0082C05B

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 2bd94ecea24fc399b56795fc5ba660826eb3d9c05ed462e9652c66023fcd406d
Instruction ID: e40890f761fad370e8598fe3531fff236fa631c75b9b6fd16824042427505b60
Opcode Fuzzy Hash: 2bd94ecea24fc399b56795fc5ba660826eb3d9c05ed462e9652c66023fcd406d
Instruction Fuzzy Hash: A5F05E32001669FBDB226F55AC09FDE3FA9BF06711F148120FB11A10E387B55566CB99

Uniqueness

Uniqueness Score: -1.00%

Function 007FA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007FA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 007FA3AC
GetCurrentThreadId.KERNEL32 ref: 007FA3B3
AttachThreadInput.USER32(00000000), ref: 007FA3BA

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1704a9b6bf5f454a7ef19c7b4b252c6548e60fed87d151dfc4689b68f0f0e9f1
Instruction ID: 5c65c131cde24d40719441c42b367e5884146d838d38e51ca77056850bee5b51
Opcode Fuzzy Hash: 1704a9b6bf5f454a7ef19c7b4b252c6548e60fed87d151dfc4689b68f0f0e9f1
Instruction Fuzzy Hash: F1E03971541228BADB201FA2DD0CEE73F6CFF267A1F008034F70984061C6799541CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007A2231
SetTextColor.GDI32(?,000000FF), ref: 007A223B
SetBkMode.GDI32(?,00000001), ref: 007A2250
GetStockObject.GDI32(00000005), ref: 007A2258
GetWindowDC.USER32(?,00000000), ref: 007DC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 007DC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 007DC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 007DC112
GetPixel.GDI32(00000000,?,?), ref: 007DC132
ReleaseDC.USER32(?,00000000), ref: 007DC13D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 17ba4092bc80d486225765181b03b3fccfb00be9d0502d3bcecf8162485d7d09
Instruction ID: 6d964b82711759283f567103425320237e2c0cfab2547bfbeacddc8baa89fea8
Opcode Fuzzy Hash: 17ba4092bc80d486225765181b03b3fccfb00be9d0502d3bcecf8162485d7d09
Instruction Fuzzy Hash: 6BE03932100244EADB225F68EC09BD83B30BB05332F04C377FB69880E287768992DB11

Uniqueness

Uniqueness Score: -1.00%

Function 007F8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 007F8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,007F882E), ref: 007F8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007F882E), ref: 007F8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,007F882E), ref: 007F8C7E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5f1624378badcc4f09c7dbd9fddf10d02fc39c52d4cb27095e9b93c9c33110e2
Instruction ID: 7a26ca15719bb6dea7c69c8c1023a3ec4d8795956ca3e46231f1ba9c5e03ee82
Opcode Fuzzy Hash: 5f1624378badcc4f09c7dbd9fddf10d02fc39c52d4cb27095e9b93c9c33110e2
Instruction Fuzzy Hash: 18E04F36642211DBD7705FB16D0DB563BB8FF55792F048878A345CA041DB348442CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007E2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007E2187
GetDC.USER32(00000000), ref: 007E2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007E21B1
ReleaseDC.USER32(?), ref: 007E21D2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 29f87ea56203f0b98c51b188600cdc30cb7f258e231ef511ab0721bdb1eeaf49
Instruction ID: 783d3011b6bce4075e27cb97ee2fc9e3d99469fbb4fc6f7d1735204c201ac906
Opcode Fuzzy Hash: 29f87ea56203f0b98c51b188600cdc30cb7f258e231ef511ab0721bdb1eeaf49
Instruction Fuzzy Hash: 5FE01AB5800604EFDB219F60C908A9D7BF5FB5C350F10C426FA5AA7222DB388142DF40

Uniqueness

Uniqueness Score: -1.00%

Function 007E219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007E219B
GetDC.USER32(00000000), ref: 007E21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007E21B1
ReleaseDC.USER32(?), ref: 007E21D2

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2a7bb60c2a177cf8d861a9cff014f8224e60840f44e8be2f2e9b91474737218c
Instruction ID: 6a5ddb922f2a87b2f1cb5123818dc62ba1f65ad785188f6171fb494bea9b8898
Opcode Fuzzy Hash: 2a7bb60c2a177cf8d861a9cff014f8224e60840f44e8be2f2e9b91474737218c
Instruction Fuzzy Hash: 92E01A75800204EFCB219F70C90869D7BF1FB5C310F10C026FA5AA7221DB389142DF40

Uniqueness

Uniqueness Score: -1.00%

Function 007FB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 007FB981

Strings

AutoIt3GUI, xrefs: 007FB8F9
Container, xrefs: 007FB8FE

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: b7c344bbcca7f694940f56c388967a50051327e598d2015755f5a26ff476f287
Instruction ID: cd251437b592022d2b39a1e26807ac6d48412c1e25c93ab5d8370215058b4624
Opcode Fuzzy Hash: b7c344bbcca7f694940f56c388967a50051327e598d2015755f5a26ff476f287
Instruction Fuzzy Hash: C3913870600205DFDB24CF68C884A7ABBE9FF48710F14856EEA4ADB791DB74E844CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0080B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007BFEC6: _wcscpy.LIBCMT ref: 007BFEE9

Part of subcall function 007A9997: __itow.LIBCMT ref: 007A99C2
Part of subcall function 007A9997: __swprintf.LIBCMT ref: 007A9A0C

__wcsnicmp.LIBCMT ref: 0080B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0080B361

Strings

LPT, xrefs: 0080B292

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 88af118f44dd2e6c5504b4344c32d1420c10e8116ae3b66e67814f7689c23eb5
Instruction ID: 41a3eb2ec628be801769eb292e35b1ba3fc78a6ddcb47dba551c80a02e6aeaf4
Opcode Fuzzy Hash: 88af118f44dd2e6c5504b4344c32d1420c10e8116ae3b66e67814f7689c23eb5
Instruction Fuzzy Hash: 57615C75A00219EFCB14DB94C885EAEB7F4FB49310F11816AF946EB391DB74AE40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007E8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007E8B1E
_memmove.LIBCMT ref: 007E8B78

Strings

Oa{, xrefs: 007E8BF2, 007EE39A, 007EE3B6

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _memmove
String ID: Oa{
API String ID: 4104443479-1068949949
Opcode ID: 99da79d75077651e25a122bbeca72b842dbb87da9c18944551f16d33347236ea
Instruction ID: e866edd08e0e5cb12ed5905de330afba863c8fe3478520f6b1d785b1ac1a73d4
Opcode Fuzzy Hash: 99da79d75077651e25a122bbeca72b842dbb87da9c18944551f16d33347236ea
Instruction Fuzzy Hash: B65191B0A01649DFCF64CF69C880AAEBBF1FF49304F14852AE85AD7241EB34E955CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007B2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007B2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 007B2AE1

Strings

@, xrefs: 007B2AD5

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 02b6495f2bae211e4b1dac472cb1a44f97aee1c41b012185a4a1a4a8d89f1839
Instruction ID: 3f6044a2ea2b653a45af1c1d4d1396eec2b0ba322d56852e0ecbb5ef72e0c6d9
Opcode Fuzzy Hash: 02b6495f2bae211e4b1dac472cb1a44f97aee1c41b012185a4a1a4a8d89f1839
Instruction Fuzzy Hash: 73515771518745DBD320AF10D88ABABBBE8FBC5310F42895DF2D9910A1EB348539CB26

Uniqueness

Uniqueness Score: -1.00%

Function 008099BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 007A506B: __fread_nolock.LIBCMT ref: 007A5089

_wcscmp.LIBCMT ref: 00809AAE
_wcscmp.LIBCMT ref: 00809AC1

Strings

FILE, xrefs: 008099FA

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 33371b8213fc3a40c138b6054c72a71b44acb73aea477fbd4f3ce3b5277ab9f8
Instruction ID: 61fc612efc5cdc9da131936787601f184e91c39c37d967ed030f5e423c54f26f
Opcode Fuzzy Hash: 33371b8213fc3a40c138b6054c72a71b44acb73aea477fbd4f3ce3b5277ab9f8
Instruction Fuzzy Hash: 5B41D771A00619BADF209AA4DC85FEFBBBDEF85710F004169F940F71C1DA75AA048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00812882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00812892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008128C8

Strings

|, xrefs: 00812899

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: ac6ad0f5bff4bcc0902a449713fffbb1d5b7e7ee7da7ee37e31783bf92bc0224
Instruction ID: ec6bed2a82b60fe55a4236cdad0b93ac92495f0ef6f542d5e096659b8b90630e
Opcode Fuzzy Hash: ac6ad0f5bff4bcc0902a449713fffbb1d5b7e7ee7da7ee37e31783bf92bc0224
Instruction Fuzzy Hash: 68313971800119EFCF05AFA4DC89EEEBFB9FF09300F004129F814A6166DA355A56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00826CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00826D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00826DC2

Strings

static, xrefs: 00826D22

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ebd58f655b5f33d0a58d5fb9c8c8c96d76e0530b3c6991dc735aab4cfed3ef7e
Instruction ID: 872cd92b22626683486ee3577faa50e18f6fa197100ed97926029f9999bdaf3a
Opcode Fuzzy Hash: ebd58f655b5f33d0a58d5fb9c8c8c96d76e0530b3c6991dc735aab4cfed3ef7e
Instruction Fuzzy Hash: B9316D71200618ABDB109F68DC84AFB77B9FF48764F108629F9A5D7190DA35ACA1CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00802D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00802E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00802E3B

Strings

0, xrefs: 00802DF9

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f760ed66be9a0931ed0bea319a44632254f0252f6c629b82910ac2d2922ffb78
Instruction ID: dcf124324056b0998eebb35f439d1d9a536cc65f324b0ec119484300de01e696
Opcode Fuzzy Hash: f760ed66be9a0931ed0bea319a44632254f0252f6c629b82910ac2d2922ffb78
Instruction Fuzzy Hash: 7331C331640309EBEB648F98CD4DBAEBBB9FF05350F14406EE985D61E2E7B09944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00826943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008269D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008269DB

Strings

Combobox, xrefs: 0082699D

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a9c7fee537761fe7017bba318e17337a02fc32503acf07e9a2b3d2030434ad4f
Instruction ID: 59c940834a68a7d7ddc390f3ec09cf718ce881535ab159b14d37bad6a36c648f
Opcode Fuzzy Hash: a9c7fee537761fe7017bba318e17337a02fc32503acf07e9a2b3d2030434ad4f
Instruction Fuzzy Hash: AC11C4717002197FEF119F14DC80EBB3B6AFB993A4F114224F958D7291EA759CE187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00826E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007A1D73
Part of subcall function 007A1D35: GetStockObject.GDI32(00000011), ref: 007A1D87
Part of subcall function 007A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007A1D91

GetWindowRect.USER32(00000000,?), ref: 00826EE0
GetSysColor.USER32(00000012), ref: 00826EFA

Strings

static, xrefs: 00826EBD

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5aa23af7166def022ffad9076e2a597dffd9abcab0ef8d44c6c9d5a4c57456c7
Instruction ID: a3e177432108a9708e67c4f4cdb63dadb35555d3e7b122e2c98f8879246b12af
Opcode Fuzzy Hash: 5aa23af7166def022ffad9076e2a597dffd9abcab0ef8d44c6c9d5a4c57456c7
Instruction Fuzzy Hash: 0621447261021AAFDB04DFA8DD45AEA7BB8FB08314F114629FA55D2250E634A8A1DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00826B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00826C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00826C20

Strings

edit, xrefs: 00826BF5

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 898962c4462033f437da2eb9fd5d564263effcd1a563231c9d15dcee4e1fd4d7
Instruction ID: 6475ae7a52d2457d578198219be4c134d2c1c34766a2dd189d50ced50163e795
Opcode Fuzzy Hash: 898962c4462033f437da2eb9fd5d564263effcd1a563231c9d15dcee4e1fd4d7
Instruction Fuzzy Hash: 8F119A71501228ABEB109E64AC45ABA376AFB04378F604724FA61D31E0E775DCA1AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00802E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00802F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00802F30

Strings

0, xrefs: 00802F07

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 128a4fff69b65e43740018df7b27f9b8753435aaf0df73df318610d5eebe2731
Instruction ID: 8cb4c43e8008962ff4cf266f3c4d293d99f7da24575548f1693120a3f69b94ae
Opcode Fuzzy Hash: 128a4fff69b65e43740018df7b27f9b8753435aaf0df73df318610d5eebe2731
Instruction Fuzzy Hash: D111BB32901229ABCB70DA98DC08BA973B9FB01354F1940B5FC44F72E1EBF0AE048791

Uniqueness

Uniqueness Score: -1.00%

Function 008124CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00812520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00812549

Strings

<local>, xrefs: 00812511

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b5fa3536c15c61cc39190a413320ab4f23f6452de9fa9e6e9a038781ea436fa1
Instruction ID: 212afee60846c2a552c085d40a82c22a48de68a9b77121b8fcd7d320737d3605
Opcode Fuzzy Hash: b5fa3536c15c61cc39190a413320ab4f23f6452de9fa9e6e9a038781ea436fa1
Instruction Fuzzy Hash: 5E11A070501225BEDB248F518CD9EFBFF6DFF16755F10812AF90586140E27069E5DAE0

Uniqueness

Uniqueness Score: -1.00%

Function 008180A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0081830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008180C8,?,00000000,?,?), ref: 00818322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008180CB
htons.WSOCK32(00000000,?,00000000), ref: 00818108

Strings

255.255.255.255, xrefs: 008180E3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 73bed7bd8467094d1d91b7a8af8939b9b1cb60fc48f1a1bd6ee83cf8e5358fe9
Instruction ID: 2a9d6db1110f0f94422b35dce61df1ee9500d9e1e1cc38e8784736a9aef822a6
Opcode Fuzzy Hash: 73bed7bd8467094d1d91b7a8af8939b9b1cb60fc48f1a1bd6ee83cf8e5358fe9
Instruction Fuzzy Hash: F4118E75600209EBDB20AFA4CC86FFDB778FF44320F108626EA15D7292DA72A855C695

Uniqueness

Uniqueness Score: -1.00%

Function 007F92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 007FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007FB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007F9355

Strings

ListBox, xrefs: 007F931F
ComboBox, xrefs: 007F92F4

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ae8f499acfe007aa98dc3173b731593f792ceec79b08ad0f6f786f154fd2f102
Instruction ID: 2285ae5fc779ba94ce006864b5bc336efebe93d25b48af0e7ee2155dfe2ee7a5
Opcode Fuzzy Hash: ae8f499acfe007aa98dc3173b731593f792ceec79b08ad0f6f786f154fd2f102
Instruction Fuzzy Hash: 3C01DE71A45218EB8B08EBA4CC96DFE7769FF46320B100719FA72973D2EA39590CC650

Uniqueness

Uniqueness Score: -1.00%

Function 007F91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 007FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007FB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 007F924D

Strings

ListBox, xrefs: 007F9217
ComboBox, xrefs: 007F91EC

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 52a71566096af404ed0628bf34291153f2bbc5de3447ae2dae76b2de2197b631
Instruction ID: 2e6ae4c79fcd24c0eebe3fed2b9bbd5c52d08d8736d8b8993019da847a1b2c0d
Opcode Fuzzy Hash: 52a71566096af404ed0628bf34291153f2bbc5de3447ae2dae76b2de2197b631
Instruction Fuzzy Hash: 22018471A41108FBCB18EBA0C996EFF77A8EF46300F140119BA1267382EA196F1CD661

Uniqueness

Uniqueness Score: -1.00%

Function 007F9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A7F41: _memmove.LIBCMT ref: 007A7F82

Part of subcall function 007FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007FB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 007F92D0

Strings

ListBox, xrefs: 007F929C
ComboBox, xrefs: 007F9271

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 547df6329c845a83b4a7a74390d20671c51eda4826d80cd0f9cebb48d1a26d0f
Instruction ID: 3e1db9bbb957b5f1dea29dae51c27f9ad2c6733235337514a8aacfcc42e8f9ee
Opcode Fuzzy Hash: 547df6329c845a83b4a7a74390d20671c51eda4826d80cd0f9cebb48d1a26d0f
Instruction Fuzzy Hash: C201A771A41108BBCF04E7A4C986EFF77ACAF11300F140215BA1263382EA195F0C9271

Uniqueness

Uniqueness Score: -1.00%

Function 008051CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008051E8
_wcscmp.LIBCMT ref: 008051FA

Strings

#32770, xrefs: 008051F4

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 9f41bb9326c6344fae174e34ec22e0db9fe8cb38c78ca3be739c34f56a904c4c
Instruction ID: 73de9177b12953bfab91b0bc50cedadbc9568444097238b2e9b710506436152e
Opcode Fuzzy Hash: 9f41bb9326c6344fae174e34ec22e0db9fe8cb38c78ca3be739c34f56a904c4c
Instruction Fuzzy Hash: F2E0613250022C1BD32096D59C49F97F7BCFF44731F00016BFD10D3041D56099058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 007F81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007F81CA

Part of subcall function 007C3598: _doexit.LIBCMT ref: 007C35A2

Strings

AutoIt, xrefs: 007F81BE
Error allocating memory., xrefs: 007F81C3

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 0b6a9be6944b2b57e71422943c800fbcff281f7802e044c6fc3928920e137cab
Instruction ID: 36cfe941299625dc52393b0957cbbe54ae96d7b39f322a6080cecf6e597cd84f
Opcode Fuzzy Hash: 0b6a9be6944b2b57e71422943c800fbcff281f7802e044c6fc3928920e137cab
Instruction Fuzzy Hash: C4D0123238535872D62433A46C0EFCA76489B55B52F104029BB18956D389DA59D242D9

Uniqueness

Uniqueness Score: -1.00%

Function 007DB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007DB564: _memset.LIBCMT ref: 007DB571

Part of subcall function 007C0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007DB540,?,?,?,007A100A), ref: 007C0B89

IsDebuggerPresent.KERNEL32(?,?,?,007A100A), ref: 007DB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007A100A), ref: 007DB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007DB54E

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 4c8d99d8167f549d3ea13dd2d759f0d559680f6c7c8928b0ce3e745efb48ed75
Instruction ID: 9169ffb6bef9e805249881d985f0ac8c1b99f9f553e963c6086e6c5ba73efea8
Opcode Fuzzy Hash: 4c8d99d8167f549d3ea13dd2d759f0d559680f6c7c8928b0ce3e745efb48ed75
Instruction Fuzzy Hash: 9AE039B0600350CBD320DF28E8087427BF0BB05714F018A2DE546C2352E7B8D405CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00825BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00825BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00825C08

Part of subcall function 008054E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0080555E

Strings

Shell_TrayWnd, xrefs: 00825BEE

Memory Dump Source

Source File: 00000001.00000002.1287085369.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000001.00000002.1287068157.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287156163.0000000000855000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287211539.000000000085F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1287235073.0000000000868000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a0000_Payment.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2f0b4194e58473a5101d59c9f1c7501315fba31a3303553bf07ee041e3cedbb1
Instruction ID: 1fd12392c7bf55651e088c984188c5a73349675e4d335a16ac6bfa349ec10533
Opcode Fuzzy Hash: 2f0b4194e58473a5101d59c9f1c7501315fba31a3303553bf07ee041e3cedbb1
Instruction Fuzzy Hash: A0D0A931388700BAE3B8AB30AC0BFD33A20FB10B01F000834BB06EA1D1C8E45801CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Countee

C:\Users\user\AppData\Local\Temp\aut1FF7.tmp

C:\Users\user\AppData\Local\Temp\aut2065.tmp

C:\Users\user\AppData\Local\Temp\subpredication

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
Payment.exe

Function 007A3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 007A4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 007A4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 008093DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 007A3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Function 007A3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 007A71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 007A3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 007A3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 007A3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01102620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 007A39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01102410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Function 007A410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 007C564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre