Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe

Overview

General Information

Sample name:JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
Analysis ID:1482711
MD5:c2ba6d34f3e6c6b3af5448fd1a7796ad
SHA1:446e5056b83d01fec8cbd18e371c999e90338564
SHA256:2036747a3fdc79b8c1394e66b36ae1080ad22db75f08dc9cf91e8fac3dc5fe51
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe (PID: 5256 cmdline: "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe" MD5: C2BA6D34F3E6C6B3AF5448FD1A7796AD)
    • powershell.exe (PID: 1792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7556 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7244 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • nCPTBp.exe (PID: 7532 cmdline: C:\Users\user\AppData\Roaming\nCPTBp.exe MD5: C2BA6D34F3E6C6B3AF5448FD1A7796AD)
    • schtasks.exe (PID: 7668 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nCPTBp.exe (PID: 7740 cmdline: "C:\Users\user\AppData\Roaming\nCPTBp.exe" MD5: C2BA6D34F3E6C6B3AF5448FD1A7796AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x145bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ee13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17be2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: nCPTBp.exe PID: 7532JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ee13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17be2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e013:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16de2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", ParentImage: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ParentProcessId: 5256, ParentProcessName: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", ProcessId: 1792, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", ParentImage: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ParentProcessId: 5256, ParentProcessName: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", ProcessId: 1792, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\nCPTBp.exe, ParentImage: C:\Users\user\AppData\Roaming\nCPTBp.exe, ParentProcessId: 7532, ParentProcessName: nCPTBp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp", ProcessId: 7668, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", ParentImage: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ParentProcessId: 5256, ParentProcessName: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp", ProcessId: 7244, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", ParentImage: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ParentProcessId: 5256, ParentProcessName: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", ProcessId: 1792, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe", ParentImage: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ParentProcessId: 5256, ParentProcessName: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp", ProcessId: 7244, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-26T02:36:56.113625+0200
            SID:2022930
            Source Port:443
            Destination Port:49699
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T02:37:34.081691+0200
            SID:2022930
            Source Port:443
            Destination Port:49704
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeAvira: detection malicious, Label: HEUR/AGEN.1308795
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeReversingLabs: Detection: 64%
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeVirustotal: Detection: 33%Perma Link
            Multi AV Scanner detection for submitted file
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeVirustotal: Detection: 33%Perma Link
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeReversingLabs: Detection: 64%
            Yara detected FormBook
            Source: Yara matchFile source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeJoe Sandbox ML: detected
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 4x nop then jmp 057C67ECh18_2_057C5DBF
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 4x nop then jmp 057C67ECh18_2_057C5E90
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1293693851.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, nCPTBp.exe, 00000012.00000002.1505843402.0000000002572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            .NET source code contains very large array initializations
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5120000.3.raw.unpack, SizeParameters.csLarge array initialization: : array initializer size 15921
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.2a53094.0.raw.unpack, SizeParameters.csLarge array initialization: : array initializer size 15921
            Source: 18.2.nCPTBp.exe.2552db8.0.raw.unpack, SizeParameters.csLarge array initialization: : array initializer size 15921
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0042C183 NtClose,16_2_0042C183
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011035C0 NtCreateMutant,LdrInitializeThunk,16_2_011035C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102DF0 NtQuerySystemInformation,LdrInitializeThunk,16_2_01102DF0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102C70 NtFreeVirtualMemory,LdrInitializeThunk,16_2_01102C70
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01103010 NtOpenDirectoryObject,16_2_01103010
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01103090 NtSetValueKey,16_2_01103090
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01104340 NtSetContextThread,16_2_01104340
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01104650 NtSuspendThread,16_2_01104650
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011039B0 NtGetContextThread,16_2_011039B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102B60 NtClose,16_2_01102B60
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102B80 NtQueryInformationFile,16_2_01102B80
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102BA0 NtEnumerateValueKey,16_2_01102BA0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102BF0 NtAllocateVirtualMemory,16_2_01102BF0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102BE0 NtQueryValueKey,16_2_01102BE0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102AB0 NtWaitForSingleObject,16_2_01102AB0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102AD0 NtReadFile,16_2_01102AD0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102AF0 NtWriteFile,16_2_01102AF0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102D10 NtMapViewOfSection,16_2_01102D10
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01103D10 NtOpenProcessToken,16_2_01103D10
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102D00 NtSetInformationFile,16_2_01102D00
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102D30 NtUnmapViewOfSection,16_2_01102D30
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01103D70 NtOpenThread,16_2_01103D70
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102DB0 NtEnumerateKey,16_2_01102DB0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102DD0 NtDelayExecution,16_2_01102DD0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102C00 NtQueryInformationProcess,16_2_01102C00
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102C60 NtCreateKey,16_2_01102C60
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102CA0 NtQueryInformationToken,16_2_01102CA0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102CC0 NtQueryVirtualMemory,16_2_01102CC0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102CF0 NtOpenProcess,16_2_01102CF0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102F30 NtCreateSection,16_2_01102F30
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102F60 NtCreateProcessEx,16_2_01102F60
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102F90 NtProtectVirtualMemory,16_2_01102F90
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102FB0 NtResumeThread,16_2_01102FB0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102FA0 NtQuerySection,16_2_01102FA0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102FE0 NtCreateFile,16_2_01102FE0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102E30 NtWriteVirtualMemory,16_2_01102E30
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102E80 NtReadVirtualMemory,16_2_01102E80
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102EA0 NtAdjustPrivilegesToken,16_2_01102EA0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01102EE0 NtQueueApcThread,16_2_01102EE0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 1_2_00D2DEA41_2_00D2DEA4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 1_2_04FA70201_2_04FA7020
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 1_2_04FA00401_2_04FA0040
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 1_2_04FA001C1_2_04FA001C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 1_2_04FA70101_2_04FA7010
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 1_2_04FA5A581_2_04FA5A58
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0040294016_2_00402940
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0040110C16_2_0040110C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0040111016_2_00401110
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0041028C16_2_0041028C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0041029316_2_00410293
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_004012A016_2_004012A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_004033A016_2_004033A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_004104B316_2_004104B3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0040E53016_2_0040E530
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0040E53316_2_0040E533
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_004026DD16_2_004026DD
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_004026E016_2_004026E0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00416F4E16_2_00416F4E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00416F5316_2_00416F53
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0042E70316_2_0042E703
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C010016_2_010C0100
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116A11816_2_0116A118
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0115815816_2_01158158
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0119B16B16_2_0119B16B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF17216_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0110516C16_2_0110516C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011901AA16_2_011901AA
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DB1B016_2_010DB1B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011881CC16_2_011881CC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C016_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117F0CC16_2_0117F0CC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011870E916_2_011870E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118F0E016_2_0118F0E0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118132D16_2_0118132D
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BD34C16_2_010BD34C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118A35216_2_0118A352
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0111739A16_2_0111739A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DE3F016_2_010DE3F0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011903E616_2_011903E6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117027416_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D52A016_2_010D52A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB2C016_2_010EB2C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011502C016_2_011502C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D053516_2_010D0535
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118757116_2_01187571
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0119059116_2_01190591
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116D5B016_2_0116D5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118F43F16_2_0118F43F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118244616_2_01182446
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C146016_2_010C1460
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117E4F616_2_0117E4F6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F475016_2_010F4750
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D077016_2_010D0770
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118F7B016_2_0118F7B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CC7C016_2_010CC7C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011816CC16_2_011816CC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EC6E016_2_010EC6E0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D995016_2_010D9950
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB95016_2_010EB950
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E696216_2_010E6962
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D29A016_2_010D29A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0119A9A616_2_0119A9A6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113D80016_2_0113D800
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D284016_2_010D2840
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DA84016_2_010DA840
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B68B816_2_010B68B8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D38E016_2_010D38E0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE8F016_2_010FE8F0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118AB4016_2_0118AB40
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118FB7616_2_0118FB76
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EFB8016_2_010EFB80
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01186BD716_2_01186BD7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01145BF016_2_01145BF0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0110DBF916_2_0110DBF9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118FA4916_2_0118FA49
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01187A4616_2_01187A46
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01143A6C16_2_01143A6C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CEA8016_2_010CEA80
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01115AA016_2_01115AA0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116DAAC16_2_0116DAAC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117DAC616_2_0117DAC6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DAD0016_2_010DAD00
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01181D5A16_2_01181D5A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D3D4016_2_010D3D40
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01187D7316_2_01187D73
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E8DBF16_2_010E8DBF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EFDC016_2_010EFDC0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CADE016_2_010CADE0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D0C0016_2_010D0C00
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01149C3216_2_01149C32
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170CB516_2_01170CB5
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118FCF216_2_0118FCF2
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C0CF216_2_010C0CF2
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118FF0916_2_0118FF09
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01112F2816_2_01112F28
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F0F3016_2_010F0F30
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01144F4016_2_01144F40
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1F9216_2_010D1F92
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118FFB116_2_0118FFB1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114EFA016_2_0114EFA0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C2FC816_2_010C2FC8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DCFE016_2_010DCFE0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118EE2616_2_0118EE26
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D0E5916_2_010D0E59
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118CE9316_2_0118CE93
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E2E9016_2_010E2E90
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D9EB016_2_010D9EB0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118EEDB16_2_0118EEDB
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_00A9DEA418_2_00A9DEA4
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C14E018_2_057C14E0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C14D018_2_057C14D0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C310018_2_057C3100
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C10A818_2_057C10A8
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C109918_2_057C1099
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C0C7018_2_057C0C70
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C0C6118_2_057C0C61
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C083818_2_057C0838
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0137010022_2_01370100
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013C600022_2_013C6000
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_014002C022_2_014002C0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138053522_2_01380535
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138077022_2_01380770
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013A475022_2_013A4750
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0137C7C022_2_0137C7C0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0139C6E022_2_0139C6E0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0139696222_2_01396962
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013829A022_2_013829A0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138284022_2_01382840
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138A84022_2_0138A840
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013668B822_2_013668B8
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013B889022_2_013B8890
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013AE8F022_2_013AE8F0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0137EA8022_2_0137EA80
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138AD0022_2_0138AD00
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138ED7A22_2_0138ED7A
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01398DBF22_2_01398DBF
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0137ADE022_2_0137ADE0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01388DC022_2_01388DC0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01380C0022_2_01380C00
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01370CF222_2_01370CF2
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013A0F3022_2_013A0F30
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013C2F2822_2_013C2F28
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013F4F4022_2_013F4F40
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013FEFA022_2_013FEFA0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01372FC822_2_01372FC8
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01380E5922_2_01380E59
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01392E9022_2_01392E90
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0136F17222_2_0136F172
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013B516C22_2_013B516C
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138B1B022_2_0138B1B0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0136D34C22_2_0136D34C
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013833F322_2_013833F3
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013852A022_2_013852A0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0139D2F022_2_0139D2F0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0139B2C022_2_0139B2C0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0137146022_2_01371460
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138349722_2_01383497
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013C74E022_2_013C74E0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138B73022_2_0138B730
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138995022_2_01389950
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0139B95022_2_0139B950
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0138599022_2_01385990
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013ED80022_2_013ED800
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013838E022_2_013838E0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0139FB8022_2_0139FB80
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013BDBF922_2_013BDBF9
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013F5BF022_2_013F5BF0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013F3A6C22_2_013F3A6C
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01383D4022_2_01383D40
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0139FDC022_2_0139FDC0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013F9C3222_2_013F9C32
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01399C2022_2_01399C20
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01381F9222_2_01381F92
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01389EB022_2_01389EB0
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: String function: 013C7E54 appears 97 times
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: String function: 013EEA12 appears 37 times
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: String function: 0114F290 appears 105 times
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: String function: 010BB970 appears 265 times
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: String function: 01105130 appears 36 times
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: String function: 01117E54 appears 96 times
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: String function: 0113EA12 appears 86 times
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1314675065.0000000005C00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1300423741.0000000003C0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1293693851.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1291325896.0000000000D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1310449163.0000000005120000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.00000000011BD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeBinary or memory string: OriginalFilenameDdXL.exe< vs JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: nCPTBp.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: _0020.SetAccessControl
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: _0020.AddAccessRule
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, ugiCahmWU9HqoBIE7s.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, ugiCahmWU9HqoBIE7s.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, ugiCahmWU9HqoBIE7s.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: _0020.SetAccessControl
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: _0020.AddAccessRule
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: _0020.SetAccessControl
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.evad.winEXE@19/15@0/0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeFile created: C:\Users\user\AppData\Roaming\nCPTBp.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeFile created: C:\Users\user\AppData\Local\Temp\tmp920A.tmpJump to behavior
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeVirustotal: Detection: 33%
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeReversingLabs: Detection: 64%
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeFile read: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe:Zone.IdentifierJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\nCPTBp.exe C:\Users\user\AppData\Roaming\nCPTBp.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess created: C:\Users\user\AppData\Roaming\nCPTBp.exe "C:\Users\user\AppData\Roaming\nCPTBp.exe"
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess created: C:\Users\user\AppData\Roaming\nCPTBp.exe "C:\Users\user\AppData\Roaming\nCPTBp.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, StatGrapher.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: nCPTBp.exe.1.dr, StatGrapher.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5120000.3.raw.unpack, bg.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.2a53094.0.raw.unpack, bg.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.cs.Net Code: uirVFu7Pse System.Reflection.Assembly.Load(byte[])
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.cs.Net Code: uirVFu7Pse System.Reflection.Assembly.Load(byte[])
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.cs.Net Code: uirVFu7Pse System.Reflection.Assembly.Load(byte[])
            Source: 18.2.nCPTBp.exe.2552db8.0.raw.unpack, bg.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0040514C push esi; iretd 16_2_00405163
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_004031C4 push cs; retf 16_2_004031C8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0040D345 push edx; retf 16_2_0040D348
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_004184E7 push esp; retf 16_2_004184E8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00418D43 push esi; ret 16_2_00418D5E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00418D2F push esi; ret 16_2_00418D5E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00412589 push ss; iretd 16_2_0041258A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00418DA4 push esi; ret 16_2_00418D5E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00412674 push ecx; iretd 16_2_00412675
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00403620 push eax; ret 16_2_00403622
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0041A76D push eax; ret 16_2_0041A771
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C09AD push ecx; mov dword ptr [esp], ecx16_2_010C09B6
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C04E9 push ebx; ret 18_2_057C04EA
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C5790 push eax; ret 18_2_057C5791
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C6908 push esp; iretd 18_2_057C6909
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 18_2_057C898D push FFFFFF8Bh; iretd 18_2_057C898F
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013BC54F push 8B013467h; ret 22_2_013BC554
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013BC54D pushfd ; ret 22_2_013BC54E
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013709AD push ecx; mov dword ptr [esp], ecx22_2_013709B6
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013BC9D7 push edi; ret 22_2_013BC9D9
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_01341FEC push eax; iretd 22_2_01341FED
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_013C7E99 push ecx; ret 22_2_013C7EAC
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeCode function: 22_2_0042DC02 push esp; iretd 22_2_0042DC16
            Source: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeStatic PE information: section name: .text entropy: 7.951617880904782
            Source: nCPTBp.exe.1.drStatic PE information: section name: .text entropy: 7.951617880904782
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, iCMsPPc14g0LbrpC1r.csHigh entropy of concatenated method names: 'ToString', 'wqKIWwsRu1', 'w5gIClLtcW', 'hOUIsVgFKX', 'EgNIAYyRPF', 'SgpIZ5w4HA', 'rLRIeblNiM', 'JxPIQXroXt', 'jp1IwC7Q4d', 'giYIPCOdX4'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, jTUmy3T7eSYsyXDiWA5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't4IRpE8WBJ', 'HoYRjTnIR0', 'O94RgIonfe', 'PRWRrwnZ6r', 't7qRcuKqJ6', 'gYFRtCHpwx', 'eFeRvVq4aF'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, RYP9auK2gvoKrJoTUI.csHigh entropy of concatenated method names: 'tEDN1YQ4oq', 'pLlNCLOIWW', 'dpONs0MbVK', 'VHHNAar2p6', 'lDKNpkDwDA', 'MvGNZLDgOv', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, eKcewjTS759y9tNiMw6.csHigh entropy of concatenated method names: 'aKM63GnXVk', 'RfS6fjy6nD', 'soE6F7ltlY', 'i2k62Df1DV', 'ypS6DFJ3Jw', 'nR06xxoHw1', 'OCZ6UEfd6v', 'zNJ6KcMPVb', 'Q7C6O9v6B1', 'j9y6Jk6ulW'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, KS4DbtfggC5rweGmtu.csHigh entropy of concatenated method names: 'wMGY3kiXng', 'bBHYfPRbLm', 'LKhYFiVI2J', 'GOjY2VEEKG', 'h93YD8jhK1', 'OuFYxxObL1', 'tfSYUO5C5Q', 'TqUYK9t87Z', 'P5PYOhWLvQ', 'Yc8YJo32QK'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, CMJVaV2jhxJrxX4hho.csHigh entropy of concatenated method names: 'Xfl67PqBok', 'YGh6TmnQsH', 'iM86V7cg1f', 'FWJ6oH6feI', 'T7t6aTP8Wg', 'tSQ655xDT8', 'HoZ6kwF5of', 'z9QNvxR2ZN', 'MijNSsWrCN', 'Ik2NhTniRW'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, w62axEbqy4R1jsMrBU.csHigh entropy of concatenated method names: 'jbB5D5yFQi', 'IbJ5UrctGL', 'qtkXsEkjO6', 'RPRXAV4apr', 'CcrXZDBn8p', 'tsQXeF6TfO', 'rRtXQiPfU1', 'xsnXwheEoP', 'VsnXPjYqtO', 'yGjXntDgnv'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, MqQiTFRFCn0eZo02RE.csHigh entropy of concatenated method names: 'uKsk0jQDXJ', 'Lrok3dHj4l', 'N6DkFHnwSc', 'BtAk2LLG7u', 'ATRkxw9ceG', 'Qu1kUDpPc6', 'mKhkOUsP0X', 'd5SkJlrNcN', 'GL9T9uVbqwBZ36uUYK2', 'n243vyVdyHH87q2LOgQ'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tyBvNlWGwV68pMxayC.csHigh entropy of concatenated method names: 'yfj9Kl5dYV', 'c509OiiADH', 'fcv91xAmqm', 'KTU9CCXmW7', 'EBt9AJBHus', 'qGj9Z1G200', 'mBB9Q83GR4', 'n6a9wxT9BM', 'bgN9n2IuqE', 'PQp9WlJSJq'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, ugiCahmWU9HqoBIE7s.csHigh entropy of concatenated method names: 'zfyapIrVCn', 'd3yaj55GQG', 'GL9agqmPc6', 'r0QarSLqLZ', 'H4dacbJo1Y', 'JZ3at1GX7V', 'FC9avsyVEU', 'mMWaS7aQJQ', 'ftAahNSyJ5', 'FFZaGoVeja'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, eID7ere8l0byUTlJ4X.csHigh entropy of concatenated method names: 'EaqySMlDiT', 'iEoyGLNdEJ', 'Hl2N8wO7WX', 'z2bN75Uic5', 'xwRyW9MulH', 'FZqyHMcG9W', 'uocyiCjIoU', 'A9hypM33SZ', 'nt1yjmfScU', 'nrOyglqcHb'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, rVFerSH0CSsFIIZJhA.csHigh entropy of concatenated method names: 'wHEkLOaF31', 'oo9kaZcCAb', 'QRUk5jqjsm', 'UVckYGuGFS', 'OXIkmreYJU', 'adq5cABv4l', 'ceA5tU17VE', 'wAr5vLpTFg', 'j9f5Sct2Bc', 'PyX5hwpS8A'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, Bpj9MhFjE7PWGgTwUM.csHigh entropy of concatenated method names: 'QQJyMOKPNe', 'm39y4hBsEp', 'ToString', 'oemyoiIUbi', 'osoya2S5if', 'DqpyXtxkKL', 'zM7y5begFm', 'FkjykjC8de', 'WVqyYAGljL', 'wpwymBJikt'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, l3RmN4vVcBhmsvF52H.csHigh entropy of concatenated method names: 'AdkNo0HbOW', 'o59NaOVBOf', 'VKyNXp2qAZ', 'nQJN5DqLZR', 'IerNkOHJlJ', 'w0tNYhtRuM', 'jn3NmYBwYF', 'jiqNlAMciX', 'wpLNM4nk7O', 'vqKN4r6a2O'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, BMpy3yYaCNHkDcpPxY.csHigh entropy of concatenated method names: 'q9s7YNspCt', 'ihp7mhNsr1', 'XkQ7Mt4iZ9', 'ith74hUk0h', 'TVC7BSPVsL', 'XoM7IEPhXM', 'TmVkWofYjh3Wc9tQF7', 'KNu2vWRJUCRvk10hFo', 'QJf77Y6W78', 'cAL7TFD3uF'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tr37UWORppbQ5PIAqL.csHigh entropy of concatenated method names: 'aDLTL4eZHQ', 'Rw2TodP4uq', 'p6RTaGMvUO', 'F3YTXk3qvL', 'WrNT5V4jZ9', 'T8BTk38Ig7', 'PvSTY5ETo4', 'kSlTmfqqjn', 'W1OTlixZKJ', 'PPTTMNig5I'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, qQvcU7zmLGU2jZReYI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IsN69NGyuH', 'zEV6BXAlP7', 'sty6IHUhZj', 'Yrt6yyI6QP', 'yV56NNu7SY', 'F0Q66GByCm', 'Yp66RRQMJf'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, tTf6FS0JjDn3J1oUVR.csHigh entropy of concatenated method names: 'k2bBnFfc13', 'J7IBH0mqDb', 'MCjBpdno1Q', 'WeHBjghfra', 'tGxBCLHwRW', 'fraBsmbeZi', 'xSKBAWejvA', 'DIMBZcoHKo', 'mpwBeMa53N', 'wNaBQHf7Xs'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, RPembixow0X3aTpxSU.csHigh entropy of concatenated method names: 'JtRX2u3HLN', 'ufbXxNro2p', 'OCsXKxodUh', 'qNOXOQcdyL', 'kU7XBeQ5Lk', 'GlyXIL1sy2', 'PQiXyLWPUo', 'xOaXNFt0rp', 'v8xX6W8hRV', 'lP3XRvjd2C'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, k6sIoRAO12TfY5kE2j.csHigh entropy of concatenated method names: 'SRAFhRdWP', 't5E2bZwhM', 'xGfxfHpT1', 'QpgUVZVpV', 'wxrOedlN8', 'p4aJfljnO', 'Um40OyhJIpWr6t7GDc', 'SKs5HxFgPvCoW2yP1Y', 'ATZNp05LE', 'B1hRJZnC1'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.5c00000.6.raw.unpack, Pq7FEuQ4AWnwjflHjd.csHigh entropy of concatenated method names: 'Dispose', 'O3c7hpmXtR', 'qmrqCueYx7', 'Gh5bbb1eNH', 'DVV7GUaLQt', 'GrP7zkVHKM', 'ProcessDialogKey', 'XuLq8fG7It', 'eMkq72mRvL', 'Q0oqqh2y9W'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, iCMsPPc14g0LbrpC1r.csHigh entropy of concatenated method names: 'ToString', 'wqKIWwsRu1', 'w5gIClLtcW', 'hOUIsVgFKX', 'EgNIAYyRPF', 'SgpIZ5w4HA', 'rLRIeblNiM', 'JxPIQXroXt', 'jp1IwC7Q4d', 'giYIPCOdX4'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, jTUmy3T7eSYsyXDiWA5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't4IRpE8WBJ', 'HoYRjTnIR0', 'O94RgIonfe', 'PRWRrwnZ6r', 't7qRcuKqJ6', 'gYFRtCHpwx', 'eFeRvVq4aF'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, RYP9auK2gvoKrJoTUI.csHigh entropy of concatenated method names: 'tEDN1YQ4oq', 'pLlNCLOIWW', 'dpONs0MbVK', 'VHHNAar2p6', 'lDKNpkDwDA', 'MvGNZLDgOv', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, eKcewjTS759y9tNiMw6.csHigh entropy of concatenated method names: 'aKM63GnXVk', 'RfS6fjy6nD', 'soE6F7ltlY', 'i2k62Df1DV', 'ypS6DFJ3Jw', 'nR06xxoHw1', 'OCZ6UEfd6v', 'zNJ6KcMPVb', 'Q7C6O9v6B1', 'j9y6Jk6ulW'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, KS4DbtfggC5rweGmtu.csHigh entropy of concatenated method names: 'wMGY3kiXng', 'bBHYfPRbLm', 'LKhYFiVI2J', 'GOjY2VEEKG', 'h93YD8jhK1', 'OuFYxxObL1', 'tfSYUO5C5Q', 'TqUYK9t87Z', 'P5PYOhWLvQ', 'Yc8YJo32QK'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, CMJVaV2jhxJrxX4hho.csHigh entropy of concatenated method names: 'Xfl67PqBok', 'YGh6TmnQsH', 'iM86V7cg1f', 'FWJ6oH6feI', 'T7t6aTP8Wg', 'tSQ655xDT8', 'HoZ6kwF5of', 'z9QNvxR2ZN', 'MijNSsWrCN', 'Ik2NhTniRW'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, w62axEbqy4R1jsMrBU.csHigh entropy of concatenated method names: 'jbB5D5yFQi', 'IbJ5UrctGL', 'qtkXsEkjO6', 'RPRXAV4apr', 'CcrXZDBn8p', 'tsQXeF6TfO', 'rRtXQiPfU1', 'xsnXwheEoP', 'VsnXPjYqtO', 'yGjXntDgnv'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, MqQiTFRFCn0eZo02RE.csHigh entropy of concatenated method names: 'uKsk0jQDXJ', 'Lrok3dHj4l', 'N6DkFHnwSc', 'BtAk2LLG7u', 'ATRkxw9ceG', 'Qu1kUDpPc6', 'mKhkOUsP0X', 'd5SkJlrNcN', 'GL9T9uVbqwBZ36uUYK2', 'n243vyVdyHH87q2LOgQ'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tyBvNlWGwV68pMxayC.csHigh entropy of concatenated method names: 'yfj9Kl5dYV', 'c509OiiADH', 'fcv91xAmqm', 'KTU9CCXmW7', 'EBt9AJBHus', 'qGj9Z1G200', 'mBB9Q83GR4', 'n6a9wxT9BM', 'bgN9n2IuqE', 'PQp9WlJSJq'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, ugiCahmWU9HqoBIE7s.csHigh entropy of concatenated method names: 'zfyapIrVCn', 'd3yaj55GQG', 'GL9agqmPc6', 'r0QarSLqLZ', 'H4dacbJo1Y', 'JZ3at1GX7V', 'FC9avsyVEU', 'mMWaS7aQJQ', 'ftAahNSyJ5', 'FFZaGoVeja'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, eID7ere8l0byUTlJ4X.csHigh entropy of concatenated method names: 'EaqySMlDiT', 'iEoyGLNdEJ', 'Hl2N8wO7WX', 'z2bN75Uic5', 'xwRyW9MulH', 'FZqyHMcG9W', 'uocyiCjIoU', 'A9hypM33SZ', 'nt1yjmfScU', 'nrOyglqcHb'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, rVFerSH0CSsFIIZJhA.csHigh entropy of concatenated method names: 'wHEkLOaF31', 'oo9kaZcCAb', 'QRUk5jqjsm', 'UVckYGuGFS', 'OXIkmreYJU', 'adq5cABv4l', 'ceA5tU17VE', 'wAr5vLpTFg', 'j9f5Sct2Bc', 'PyX5hwpS8A'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, Bpj9MhFjE7PWGgTwUM.csHigh entropy of concatenated method names: 'QQJyMOKPNe', 'm39y4hBsEp', 'ToString', 'oemyoiIUbi', 'osoya2S5if', 'DqpyXtxkKL', 'zM7y5begFm', 'FkjykjC8de', 'WVqyYAGljL', 'wpwymBJikt'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, l3RmN4vVcBhmsvF52H.csHigh entropy of concatenated method names: 'AdkNo0HbOW', 'o59NaOVBOf', 'VKyNXp2qAZ', 'nQJN5DqLZR', 'IerNkOHJlJ', 'w0tNYhtRuM', 'jn3NmYBwYF', 'jiqNlAMciX', 'wpLNM4nk7O', 'vqKN4r6a2O'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, BMpy3yYaCNHkDcpPxY.csHigh entropy of concatenated method names: 'q9s7YNspCt', 'ihp7mhNsr1', 'XkQ7Mt4iZ9', 'ith74hUk0h', 'TVC7BSPVsL', 'XoM7IEPhXM', 'TmVkWofYjh3Wc9tQF7', 'KNu2vWRJUCRvk10hFo', 'QJf77Y6W78', 'cAL7TFD3uF'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tr37UWORppbQ5PIAqL.csHigh entropy of concatenated method names: 'aDLTL4eZHQ', 'Rw2TodP4uq', 'p6RTaGMvUO', 'F3YTXk3qvL', 'WrNT5V4jZ9', 'T8BTk38Ig7', 'PvSTY5ETo4', 'kSlTmfqqjn', 'W1OTlixZKJ', 'PPTTMNig5I'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, qQvcU7zmLGU2jZReYI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IsN69NGyuH', 'zEV6BXAlP7', 'sty6IHUhZj', 'Yrt6yyI6QP', 'yV56NNu7SY', 'F0Q66GByCm', 'Yp66RRQMJf'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, tTf6FS0JjDn3J1oUVR.csHigh entropy of concatenated method names: 'k2bBnFfc13', 'J7IBH0mqDb', 'MCjBpdno1Q', 'WeHBjghfra', 'tGxBCLHwRW', 'fraBsmbeZi', 'xSKBAWejvA', 'DIMBZcoHKo', 'mpwBeMa53N', 'wNaBQHf7Xs'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, RPembixow0X3aTpxSU.csHigh entropy of concatenated method names: 'JtRX2u3HLN', 'ufbXxNro2p', 'OCsXKxodUh', 'qNOXOQcdyL', 'kU7XBeQ5Lk', 'GlyXIL1sy2', 'PQiXyLWPUo', 'xOaXNFt0rp', 'v8xX6W8hRV', 'lP3XRvjd2C'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, k6sIoRAO12TfY5kE2j.csHigh entropy of concatenated method names: 'SRAFhRdWP', 't5E2bZwhM', 'xGfxfHpT1', 'QpgUVZVpV', 'wxrOedlN8', 'p4aJfljnO', 'Um40OyhJIpWr6t7GDc', 'SKs5HxFgPvCoW2yP1Y', 'ATZNp05LE', 'B1hRJZnC1'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3db1408.1.raw.unpack, Pq7FEuQ4AWnwjflHjd.csHigh entropy of concatenated method names: 'Dispose', 'O3c7hpmXtR', 'qmrqCueYx7', 'Gh5bbb1eNH', 'DVV7GUaLQt', 'GrP7zkVHKM', 'ProcessDialogKey', 'XuLq8fG7It', 'eMkq72mRvL', 'Q0oqqh2y9W'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, iCMsPPc14g0LbrpC1r.csHigh entropy of concatenated method names: 'ToString', 'wqKIWwsRu1', 'w5gIClLtcW', 'hOUIsVgFKX', 'EgNIAYyRPF', 'SgpIZ5w4HA', 'rLRIeblNiM', 'JxPIQXroXt', 'jp1IwC7Q4d', 'giYIPCOdX4'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, jTUmy3T7eSYsyXDiWA5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't4IRpE8WBJ', 'HoYRjTnIR0', 'O94RgIonfe', 'PRWRrwnZ6r', 't7qRcuKqJ6', 'gYFRtCHpwx', 'eFeRvVq4aF'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, RYP9auK2gvoKrJoTUI.csHigh entropy of concatenated method names: 'tEDN1YQ4oq', 'pLlNCLOIWW', 'dpONs0MbVK', 'VHHNAar2p6', 'lDKNpkDwDA', 'MvGNZLDgOv', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, eKcewjTS759y9tNiMw6.csHigh entropy of concatenated method names: 'aKM63GnXVk', 'RfS6fjy6nD', 'soE6F7ltlY', 'i2k62Df1DV', 'ypS6DFJ3Jw', 'nR06xxoHw1', 'OCZ6UEfd6v', 'zNJ6KcMPVb', 'Q7C6O9v6B1', 'j9y6Jk6ulW'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, KS4DbtfggC5rweGmtu.csHigh entropy of concatenated method names: 'wMGY3kiXng', 'bBHYfPRbLm', 'LKhYFiVI2J', 'GOjY2VEEKG', 'h93YD8jhK1', 'OuFYxxObL1', 'tfSYUO5C5Q', 'TqUYK9t87Z', 'P5PYOhWLvQ', 'Yc8YJo32QK'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, CMJVaV2jhxJrxX4hho.csHigh entropy of concatenated method names: 'Xfl67PqBok', 'YGh6TmnQsH', 'iM86V7cg1f', 'FWJ6oH6feI', 'T7t6aTP8Wg', 'tSQ655xDT8', 'HoZ6kwF5of', 'z9QNvxR2ZN', 'MijNSsWrCN', 'Ik2NhTniRW'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, w62axEbqy4R1jsMrBU.csHigh entropy of concatenated method names: 'jbB5D5yFQi', 'IbJ5UrctGL', 'qtkXsEkjO6', 'RPRXAV4apr', 'CcrXZDBn8p', 'tsQXeF6TfO', 'rRtXQiPfU1', 'xsnXwheEoP', 'VsnXPjYqtO', 'yGjXntDgnv'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, MqQiTFRFCn0eZo02RE.csHigh entropy of concatenated method names: 'uKsk0jQDXJ', 'Lrok3dHj4l', 'N6DkFHnwSc', 'BtAk2LLG7u', 'ATRkxw9ceG', 'Qu1kUDpPc6', 'mKhkOUsP0X', 'd5SkJlrNcN', 'GL9T9uVbqwBZ36uUYK2', 'n243vyVdyHH87q2LOgQ'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tyBvNlWGwV68pMxayC.csHigh entropy of concatenated method names: 'yfj9Kl5dYV', 'c509OiiADH', 'fcv91xAmqm', 'KTU9CCXmW7', 'EBt9AJBHus', 'qGj9Z1G200', 'mBB9Q83GR4', 'n6a9wxT9BM', 'bgN9n2IuqE', 'PQp9WlJSJq'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, ugiCahmWU9HqoBIE7s.csHigh entropy of concatenated method names: 'zfyapIrVCn', 'd3yaj55GQG', 'GL9agqmPc6', 'r0QarSLqLZ', 'H4dacbJo1Y', 'JZ3at1GX7V', 'FC9avsyVEU', 'mMWaS7aQJQ', 'ftAahNSyJ5', 'FFZaGoVeja'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, eID7ere8l0byUTlJ4X.csHigh entropy of concatenated method names: 'EaqySMlDiT', 'iEoyGLNdEJ', 'Hl2N8wO7WX', 'z2bN75Uic5', 'xwRyW9MulH', 'FZqyHMcG9W', 'uocyiCjIoU', 'A9hypM33SZ', 'nt1yjmfScU', 'nrOyglqcHb'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, rVFerSH0CSsFIIZJhA.csHigh entropy of concatenated method names: 'wHEkLOaF31', 'oo9kaZcCAb', 'QRUk5jqjsm', 'UVckYGuGFS', 'OXIkmreYJU', 'adq5cABv4l', 'ceA5tU17VE', 'wAr5vLpTFg', 'j9f5Sct2Bc', 'PyX5hwpS8A'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, Bpj9MhFjE7PWGgTwUM.csHigh entropy of concatenated method names: 'QQJyMOKPNe', 'm39y4hBsEp', 'ToString', 'oemyoiIUbi', 'osoya2S5if', 'DqpyXtxkKL', 'zM7y5begFm', 'FkjykjC8de', 'WVqyYAGljL', 'wpwymBJikt'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, l3RmN4vVcBhmsvF52H.csHigh entropy of concatenated method names: 'AdkNo0HbOW', 'o59NaOVBOf', 'VKyNXp2qAZ', 'nQJN5DqLZR', 'IerNkOHJlJ', 'w0tNYhtRuM', 'jn3NmYBwYF', 'jiqNlAMciX', 'wpLNM4nk7O', 'vqKN4r6a2O'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, BMpy3yYaCNHkDcpPxY.csHigh entropy of concatenated method names: 'q9s7YNspCt', 'ihp7mhNsr1', 'XkQ7Mt4iZ9', 'ith74hUk0h', 'TVC7BSPVsL', 'XoM7IEPhXM', 'TmVkWofYjh3Wc9tQF7', 'KNu2vWRJUCRvk10hFo', 'QJf77Y6W78', 'cAL7TFD3uF'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tr37UWORppbQ5PIAqL.csHigh entropy of concatenated method names: 'aDLTL4eZHQ', 'Rw2TodP4uq', 'p6RTaGMvUO', 'F3YTXk3qvL', 'WrNT5V4jZ9', 'T8BTk38Ig7', 'PvSTY5ETo4', 'kSlTmfqqjn', 'W1OTlixZKJ', 'PPTTMNig5I'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, qQvcU7zmLGU2jZReYI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IsN69NGyuH', 'zEV6BXAlP7', 'sty6IHUhZj', 'Yrt6yyI6QP', 'yV56NNu7SY', 'F0Q66GByCm', 'Yp66RRQMJf'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, tTf6FS0JjDn3J1oUVR.csHigh entropy of concatenated method names: 'k2bBnFfc13', 'J7IBH0mqDb', 'MCjBpdno1Q', 'WeHBjghfra', 'tGxBCLHwRW', 'fraBsmbeZi', 'xSKBAWejvA', 'DIMBZcoHKo', 'mpwBeMa53N', 'wNaBQHf7Xs'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, RPembixow0X3aTpxSU.csHigh entropy of concatenated method names: 'JtRX2u3HLN', 'ufbXxNro2p', 'OCsXKxodUh', 'qNOXOQcdyL', 'kU7XBeQ5Lk', 'GlyXIL1sy2', 'PQiXyLWPUo', 'xOaXNFt0rp', 'v8xX6W8hRV', 'lP3XRvjd2C'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, k6sIoRAO12TfY5kE2j.csHigh entropy of concatenated method names: 'SRAFhRdWP', 't5E2bZwhM', 'xGfxfHpT1', 'QpgUVZVpV', 'wxrOedlN8', 'p4aJfljnO', 'Um40OyhJIpWr6t7GDc', 'SKs5HxFgPvCoW2yP1Y', 'ATZNp05LE', 'B1hRJZnC1'
            Source: 1.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.3e38e28.2.raw.unpack, Pq7FEuQ4AWnwjflHjd.csHigh entropy of concatenated method names: 'Dispose', 'O3c7hpmXtR', 'qmrqCueYx7', 'Gh5bbb1eNH', 'DVV7GUaLQt', 'GrP7zkVHKM', 'ProcessDialogKey', 'XuLq8fG7It', 'eMkq72mRvL', 'Q0oqqh2y9W'
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeFile created: C:\Users\user\AppData\Roaming\nCPTBp.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: nCPTBp.exe PID: 7532, type: MEMORYSTR
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeMemory allocated: D20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeMemory allocated: 4A30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeMemory allocated: 5DD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeMemory allocated: 6DD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeMemory allocated: 6F10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeMemory allocated: 7F10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMemory allocated: A90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMemory allocated: 2530000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMemory allocated: 4530000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMemory allocated: 59E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMemory allocated: 69E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMemory allocated: 6B20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMemory allocated: 7B20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113D1C0 rdtsc 16_2_0113D1C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2505Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5256Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeAPI coverage: 0.6 %
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeAPI coverage: 0.3 %
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe TID: 320Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep count: 2505 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep count: 103 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe TID: 7408Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exe TID: 7608Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exe TID: 7744Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: nCPTBp.exe, 00000012.00000002.1547001724.00000000056CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f
            Source: nCPTBp.exe, 00000012.00000002.1387170435.000000000084F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113D1C0 rdtsc 16_2_0113D1C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_00417F03 LdrLoadDll,16_2_00417F03
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01180115 mov eax, dword ptr fs:[00000030h]16_2_01180115
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116A118 mov ecx, dword ptr fs:[00000030h]16_2_0116A118
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116A118 mov eax, dword ptr fs:[00000030h]16_2_0116A118
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116A118 mov eax, dword ptr fs:[00000030h]16_2_0116A118
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116A118 mov eax, dword ptr fs:[00000030h]16_2_0116A118
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F0124 mov eax, dword ptr fs:[00000030h]16_2_010F0124
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C1131 mov eax, dword ptr fs:[00000030h]16_2_010C1131
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C1131 mov eax, dword ptr fs:[00000030h]16_2_010C1131
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BB136 mov eax, dword ptr fs:[00000030h]16_2_010BB136
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BB136 mov eax, dword ptr fs:[00000030h]16_2_010BB136
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BB136 mov eax, dword ptr fs:[00000030h]16_2_010BB136
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BB136 mov eax, dword ptr fs:[00000030h]16_2_010BB136
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B9148 mov eax, dword ptr fs:[00000030h]16_2_010B9148
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B9148 mov eax, dword ptr fs:[00000030h]16_2_010B9148
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B9148 mov eax, dword ptr fs:[00000030h]16_2_010B9148
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B9148 mov eax, dword ptr fs:[00000030h]16_2_010B9148
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01195152 mov eax, dword ptr fs:[00000030h]16_2_01195152
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01158158 mov eax, dword ptr fs:[00000030h]16_2_01158158
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01154144 mov eax, dword ptr fs:[00000030h]16_2_01154144
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01154144 mov eax, dword ptr fs:[00000030h]16_2_01154144
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01154144 mov ecx, dword ptr fs:[00000030h]16_2_01154144
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01154144 mov eax, dword ptr fs:[00000030h]16_2_01154144
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01154144 mov eax, dword ptr fs:[00000030h]16_2_01154144
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01153140 mov eax, dword ptr fs:[00000030h]16_2_01153140
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01153140 mov eax, dword ptr fs:[00000030h]16_2_01153140
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01153140 mov eax, dword ptr fs:[00000030h]16_2_01153140
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C6154 mov eax, dword ptr fs:[00000030h]16_2_010C6154
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C6154 mov eax, dword ptr fs:[00000030h]16_2_010C6154
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BC156 mov eax, dword ptr fs:[00000030h]16_2_010BC156
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C7152 mov eax, dword ptr fs:[00000030h]16_2_010C7152
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01159179 mov eax, dword ptr fs:[00000030h]16_2_01159179
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BF172 mov eax, dword ptr fs:[00000030h]16_2_010BF172
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01117190 mov eax, dword ptr fs:[00000030h]16_2_01117190
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114019F mov eax, dword ptr fs:[00000030h]16_2_0114019F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114019F mov eax, dword ptr fs:[00000030h]16_2_0114019F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114019F mov eax, dword ptr fs:[00000030h]16_2_0114019F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114019F mov eax, dword ptr fs:[00000030h]16_2_0114019F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01100185 mov eax, dword ptr fs:[00000030h]16_2_01100185
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BA197 mov eax, dword ptr fs:[00000030h]16_2_010BA197
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BA197 mov eax, dword ptr fs:[00000030h]16_2_010BA197
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BA197 mov eax, dword ptr fs:[00000030h]16_2_010BA197
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117C188 mov eax, dword ptr fs:[00000030h]16_2_0117C188
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117C188 mov eax, dword ptr fs:[00000030h]16_2_0117C188
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011711A4 mov eax, dword ptr fs:[00000030h]16_2_011711A4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011711A4 mov eax, dword ptr fs:[00000030h]16_2_011711A4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011711A4 mov eax, dword ptr fs:[00000030h]16_2_011711A4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011711A4 mov eax, dword ptr fs:[00000030h]16_2_011711A4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DB1B0 mov eax, dword ptr fs:[00000030h]16_2_010DB1B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113E1D0 mov eax, dword ptr fs:[00000030h]16_2_0113E1D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113E1D0 mov eax, dword ptr fs:[00000030h]16_2_0113E1D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113E1D0 mov ecx, dword ptr fs:[00000030h]16_2_0113E1D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113E1D0 mov eax, dword ptr fs:[00000030h]16_2_0113E1D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113E1D0 mov eax, dword ptr fs:[00000030h]16_2_0113E1D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011951CB mov eax, dword ptr fs:[00000030h]16_2_011951CB
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011861C3 mov eax, dword ptr fs:[00000030h]16_2_011861C3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011861C3 mov eax, dword ptr fs:[00000030h]16_2_011861C3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FD1D0 mov eax, dword ptr fs:[00000030h]16_2_010FD1D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FD1D0 mov ecx, dword ptr fs:[00000030h]16_2_010FD1D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E51EF mov eax, dword ptr fs:[00000030h]16_2_010E51EF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C51ED mov eax, dword ptr fs:[00000030h]16_2_010C51ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011671F9 mov esi, dword ptr fs:[00000030h]16_2_011671F9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F01F8 mov eax, dword ptr fs:[00000030h]16_2_010F01F8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011961E5 mov eax, dword ptr fs:[00000030h]16_2_011961E5
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01144000 mov ecx, dword ptr fs:[00000030h]16_2_01144000
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DE016 mov eax, dword ptr fs:[00000030h]16_2_010DE016
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DE016 mov eax, dword ptr fs:[00000030h]16_2_010DE016
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DE016 mov eax, dword ptr fs:[00000030h]16_2_010DE016
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DE016 mov eax, dword ptr fs:[00000030h]16_2_010DE016
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01156030 mov eax, dword ptr fs:[00000030h]16_2_01156030
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118903E mov eax, dword ptr fs:[00000030h]16_2_0118903E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118903E mov eax, dword ptr fs:[00000030h]16_2_0118903E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118903E mov eax, dword ptr fs:[00000030h]16_2_0118903E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118903E mov eax, dword ptr fs:[00000030h]16_2_0118903E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BA020 mov eax, dword ptr fs:[00000030h]16_2_010BA020
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BC020 mov eax, dword ptr fs:[00000030h]16_2_010BC020
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01146050 mov eax, dword ptr fs:[00000030h]16_2_01146050
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116705E mov ebx, dword ptr fs:[00000030h]16_2_0116705E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116705E mov eax, dword ptr fs:[00000030h]16_2_0116705E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C2050 mov eax, dword ptr fs:[00000030h]16_2_010C2050
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB052 mov eax, dword ptr fs:[00000030h]16_2_010EB052
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113D070 mov ecx, dword ptr fs:[00000030h]16_2_0113D070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01195060 mov eax, dword ptr fs:[00000030h]16_2_01195060
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114106E mov eax, dword ptr fs:[00000030h]16_2_0114106E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov ecx, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D1070 mov eax, dword ptr fs:[00000030h]16_2_010D1070
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EC073 mov eax, dword ptr fs:[00000030h]16_2_010EC073
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C208A mov eax, dword ptr fs:[00000030h]16_2_010C208A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BD08D mov eax, dword ptr fs:[00000030h]16_2_010BD08D
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F909C mov eax, dword ptr fs:[00000030h]16_2_010F909C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114D080 mov eax, dword ptr fs:[00000030h]16_2_0114D080
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114D080 mov eax, dword ptr fs:[00000030h]16_2_0114D080
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C5096 mov eax, dword ptr fs:[00000030h]16_2_010C5096
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010ED090 mov eax, dword ptr fs:[00000030h]16_2_010ED090
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010ED090 mov eax, dword ptr fs:[00000030h]16_2_010ED090
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011860B8 mov eax, dword ptr fs:[00000030h]16_2_011860B8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011860B8 mov ecx, dword ptr fs:[00000030h]16_2_011860B8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011580A8 mov eax, dword ptr fs:[00000030h]16_2_011580A8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011950D9 mov eax, dword ptr fs:[00000030h]16_2_011950D9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011420DE mov eax, dword ptr fs:[00000030h]16_2_011420DE
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov ecx, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov ecx, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov ecx, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov ecx, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D70C0 mov eax, dword ptr fs:[00000030h]16_2_010D70C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113D0C0 mov eax, dword ptr fs:[00000030h]16_2_0113D0C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113D0C0 mov eax, dword ptr fs:[00000030h]16_2_0113D0C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E90DB mov eax, dword ptr fs:[00000030h]16_2_010E90DB
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011020F0 mov ecx, dword ptr fs:[00000030h]16_2_011020F0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C80E9 mov eax, dword ptr fs:[00000030h]16_2_010C80E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BA0E3 mov ecx, dword ptr fs:[00000030h]16_2_010BA0E3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E50E4 mov eax, dword ptr fs:[00000030h]16_2_010E50E4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E50E4 mov ecx, dword ptr fs:[00000030h]16_2_010E50E4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011460E0 mov eax, dword ptr fs:[00000030h]16_2_011460E0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BC0F0 mov eax, dword ptr fs:[00000030h]16_2_010BC0F0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FA30B mov eax, dword ptr fs:[00000030h]16_2_010FA30B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FA30B mov eax, dword ptr fs:[00000030h]16_2_010FA30B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FA30B mov eax, dword ptr fs:[00000030h]16_2_010FA30B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BC310 mov ecx, dword ptr fs:[00000030h]16_2_010BC310
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E0310 mov ecx, dword ptr fs:[00000030h]16_2_010E0310
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114930B mov eax, dword ptr fs:[00000030h]16_2_0114930B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114930B mov eax, dword ptr fs:[00000030h]16_2_0114930B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114930B mov eax, dword ptr fs:[00000030h]16_2_0114930B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF32A mov eax, dword ptr fs:[00000030h]16_2_010EF32A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118132D mov eax, dword ptr fs:[00000030h]16_2_0118132D
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118132D mov eax, dword ptr fs:[00000030h]16_2_0118132D
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B7330 mov eax, dword ptr fs:[00000030h]16_2_010B7330
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BD34C mov eax, dword ptr fs:[00000030h]16_2_010BD34C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BD34C mov eax, dword ptr fs:[00000030h]16_2_010BD34C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114035C mov eax, dword ptr fs:[00000030h]16_2_0114035C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114035C mov eax, dword ptr fs:[00000030h]16_2_0114035C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114035C mov eax, dword ptr fs:[00000030h]16_2_0114035C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114035C mov ecx, dword ptr fs:[00000030h]16_2_0114035C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114035C mov eax, dword ptr fs:[00000030h]16_2_0114035C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114035C mov eax, dword ptr fs:[00000030h]16_2_0114035C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118A352 mov eax, dword ptr fs:[00000030h]16_2_0118A352
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01195341 mov eax, dword ptr fs:[00000030h]16_2_01195341
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B9353 mov eax, dword ptr fs:[00000030h]16_2_010B9353
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B9353 mov eax, dword ptr fs:[00000030h]16_2_010B9353
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01142349 mov eax, dword ptr fs:[00000030h]16_2_01142349
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116437C mov eax, dword ptr fs:[00000030h]16_2_0116437C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117F367 mov eax, dword ptr fs:[00000030h]16_2_0117F367
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C7370 mov eax, dword ptr fs:[00000030h]16_2_010C7370
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C7370 mov eax, dword ptr fs:[00000030h]16_2_010C7370
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C7370 mov eax, dword ptr fs:[00000030h]16_2_010C7370
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E438F mov eax, dword ptr fs:[00000030h]16_2_010E438F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E438F mov eax, dword ptr fs:[00000030h]16_2_010E438F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BE388 mov eax, dword ptr fs:[00000030h]16_2_010BE388
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BE388 mov eax, dword ptr fs:[00000030h]16_2_010BE388
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BE388 mov eax, dword ptr fs:[00000030h]16_2_010BE388
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0119539D mov eax, dword ptr fs:[00000030h]16_2_0119539D
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0111739A mov eax, dword ptr fs:[00000030h]16_2_0111739A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0111739A mov eax, dword ptr fs:[00000030h]16_2_0111739A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B8397 mov eax, dword ptr fs:[00000030h]16_2_010B8397
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B8397 mov eax, dword ptr fs:[00000030h]16_2_010B8397
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B8397 mov eax, dword ptr fs:[00000030h]16_2_010B8397
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E33A5 mov eax, dword ptr fs:[00000030h]16_2_010E33A5
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F33A0 mov eax, dword ptr fs:[00000030h]16_2_010F33A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F33A0 mov eax, dword ptr fs:[00000030h]16_2_010F33A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117B3D0 mov ecx, dword ptr fs:[00000030h]16_2_0117B3D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h]16_2_010CA3C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h]16_2_010CA3C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h]16_2_010CA3C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h]16_2_010CA3C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h]16_2_010CA3C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA3C0 mov eax, dword ptr fs:[00000030h]16_2_010CA3C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C83C0 mov eax, dword ptr fs:[00000030h]16_2_010C83C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C83C0 mov eax, dword ptr fs:[00000030h]16_2_010C83C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C83C0 mov eax, dword ptr fs:[00000030h]16_2_010C83C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C83C0 mov eax, dword ptr fs:[00000030h]16_2_010C83C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011463C0 mov eax, dword ptr fs:[00000030h]16_2_011463C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117C3CD mov eax, dword ptr fs:[00000030h]16_2_0117C3CD
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h]16_2_010D03E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h]16_2_010D03E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h]16_2_010D03E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h]16_2_010D03E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h]16_2_010D03E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h]16_2_010D03E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h]16_2_010D03E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D03E9 mov eax, dword ptr fs:[00000030h]16_2_010D03E9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011953FC mov eax, dword ptr fs:[00000030h]16_2_011953FC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F63FF mov eax, dword ptr fs:[00000030h]16_2_010F63FF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117F3E6 mov eax, dword ptr fs:[00000030h]16_2_0117F3E6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DE3F0 mov eax, dword ptr fs:[00000030h]16_2_010DE3F0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DE3F0 mov eax, dword ptr fs:[00000030h]16_2_010DE3F0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010DE3F0 mov eax, dword ptr fs:[00000030h]16_2_010DE3F0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F7208 mov eax, dword ptr fs:[00000030h]16_2_010F7208
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F7208 mov eax, dword ptr fs:[00000030h]16_2_010F7208
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B823B mov eax, dword ptr fs:[00000030h]16_2_010B823B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01195227 mov eax, dword ptr fs:[00000030h]16_2_01195227
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117B256 mov eax, dword ptr fs:[00000030h]16_2_0117B256
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117B256 mov eax, dword ptr fs:[00000030h]16_2_0117B256
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F724D mov eax, dword ptr fs:[00000030h]16_2_010F724D
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114D250 mov ecx, dword ptr fs:[00000030h]16_2_0114D250
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B9240 mov eax, dword ptr fs:[00000030h]16_2_010B9240
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B9240 mov eax, dword ptr fs:[00000030h]16_2_010B9240
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C6259 mov eax, dword ptr fs:[00000030h]16_2_010C6259
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01148243 mov eax, dword ptr fs:[00000030h]16_2_01148243
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01148243 mov ecx, dword ptr fs:[00000030h]16_2_01148243
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BA250 mov eax, dword ptr fs:[00000030h]16_2_010BA250
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B826B mov eax, dword ptr fs:[00000030h]16_2_010B826B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01101270 mov eax, dword ptr fs:[00000030h]16_2_01101270
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01101270 mov eax, dword ptr fs:[00000030h]16_2_01101270
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01170274 mov eax, dword ptr fs:[00000030h]16_2_01170274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C4260 mov eax, dword ptr fs:[00000030h]16_2_010C4260
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C4260 mov eax, dword ptr fs:[00000030h]16_2_010C4260
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C4260 mov eax, dword ptr fs:[00000030h]16_2_010C4260
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118D26B mov eax, dword ptr fs:[00000030h]16_2_0118D26B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0118D26B mov eax, dword ptr fs:[00000030h]16_2_0118D26B
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E9274 mov eax, dword ptr fs:[00000030h]16_2_010E9274
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE284 mov eax, dword ptr fs:[00000030h]16_2_010FE284
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE284 mov eax, dword ptr fs:[00000030h]16_2_010FE284
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F329E mov eax, dword ptr fs:[00000030h]16_2_010F329E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F329E mov eax, dword ptr fs:[00000030h]16_2_010F329E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01140283 mov eax, dword ptr fs:[00000030h]16_2_01140283
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01140283 mov eax, dword ptr fs:[00000030h]16_2_01140283
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01140283 mov eax, dword ptr fs:[00000030h]16_2_01140283
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01195283 mov eax, dword ptr fs:[00000030h]16_2_01195283
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011492BC mov eax, dword ptr fs:[00000030h]16_2_011492BC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011492BC mov eax, dword ptr fs:[00000030h]16_2_011492BC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011492BC mov ecx, dword ptr fs:[00000030h]16_2_011492BC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011492BC mov ecx, dword ptr fs:[00000030h]16_2_011492BC
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D02A0 mov eax, dword ptr fs:[00000030h]16_2_010D02A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D02A0 mov eax, dword ptr fs:[00000030h]16_2_010D02A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D52A0 mov eax, dword ptr fs:[00000030h]16_2_010D52A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D52A0 mov eax, dword ptr fs:[00000030h]16_2_010D52A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D52A0 mov eax, dword ptr fs:[00000030h]16_2_010D52A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D52A0 mov eax, dword ptr fs:[00000030h]16_2_010D52A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h]16_2_011562A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011562A0 mov ecx, dword ptr fs:[00000030h]16_2_011562A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h]16_2_011562A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h]16_2_011562A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h]16_2_011562A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011562A0 mov eax, dword ptr fs:[00000030h]16_2_011562A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011572A0 mov eax, dword ptr fs:[00000030h]16_2_011572A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011572A0 mov eax, dword ptr fs:[00000030h]16_2_011572A0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011892A6 mov eax, dword ptr fs:[00000030h]16_2_011892A6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011892A6 mov eax, dword ptr fs:[00000030h]16_2_011892A6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011892A6 mov eax, dword ptr fs:[00000030h]16_2_011892A6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011892A6 mov eax, dword ptr fs:[00000030h]16_2_011892A6
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C92C5 mov eax, dword ptr fs:[00000030h]16_2_010C92C5
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C92C5 mov eax, dword ptr fs:[00000030h]16_2_010C92C5
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h]16_2_010EB2C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h]16_2_010EB2C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h]16_2_010EB2C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h]16_2_010EB2C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h]16_2_010EB2C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h]16_2_010EB2C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EB2C0 mov eax, dword ptr fs:[00000030h]16_2_010EB2C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h]16_2_010CA2C3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h]16_2_010CA2C3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h]16_2_010CA2C3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h]16_2_010CA2C3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CA2C3 mov eax, dword ptr fs:[00000030h]16_2_010CA2C3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BB2D3 mov eax, dword ptr fs:[00000030h]16_2_010BB2D3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BB2D3 mov eax, dword ptr fs:[00000030h]16_2_010BB2D3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BB2D3 mov eax, dword ptr fs:[00000030h]16_2_010BB2D3
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF2D0 mov eax, dword ptr fs:[00000030h]16_2_010EF2D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF2D0 mov eax, dword ptr fs:[00000030h]16_2_010EF2D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D02E1 mov eax, dword ptr fs:[00000030h]16_2_010D02E1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D02E1 mov eax, dword ptr fs:[00000030h]16_2_010D02E1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D02E1 mov eax, dword ptr fs:[00000030h]16_2_010D02E1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117F2F8 mov eax, dword ptr fs:[00000030h]16_2_0117F2F8
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B92FF mov eax, dword ptr fs:[00000030h]16_2_010B92FF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011712ED mov eax, dword ptr fs:[00000030h]16_2_011712ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011952E2 mov eax, dword ptr fs:[00000030h]16_2_011952E2
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F7505 mov eax, dword ptr fs:[00000030h]16_2_010F7505
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F7505 mov ecx, dword ptr fs:[00000030h]16_2_010F7505
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01156500 mov eax, dword ptr fs:[00000030h]16_2_01156500
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01194500 mov eax, dword ptr fs:[00000030h]16_2_01194500
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01194500 mov eax, dword ptr fs:[00000030h]16_2_01194500
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01194500 mov eax, dword ptr fs:[00000030h]16_2_01194500
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01194500 mov eax, dword ptr fs:[00000030h]16_2_01194500
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01194500 mov eax, dword ptr fs:[00000030h]16_2_01194500
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01194500 mov eax, dword ptr fs:[00000030h]16_2_01194500
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01194500 mov eax, dword ptr fs:[00000030h]16_2_01194500
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01195537 mov eax, dword ptr fs:[00000030h]16_2_01195537
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h]16_2_010EE53E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h]16_2_010EE53E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h]16_2_010EE53E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h]16_2_010EE53E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE53E mov eax, dword ptr fs:[00000030h]16_2_010EE53E
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h]16_2_0116F525
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h]16_2_0116F525
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h]16_2_0116F525
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h]16_2_0116F525
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h]16_2_0116F525
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h]16_2_0116F525
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0116F525 mov eax, dword ptr fs:[00000030h]16_2_0116F525
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h]16_2_010D0535
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h]16_2_010D0535
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h]16_2_010D0535
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h]16_2_010D0535
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h]16_2_010D0535
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010D0535 mov eax, dword ptr fs:[00000030h]16_2_010D0535
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117B52F mov eax, dword ptr fs:[00000030h]16_2_0117B52F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h]16_2_010CD534
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h]16_2_010CD534
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h]16_2_010CD534
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h]16_2_010CD534
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h]16_2_010CD534
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CD534 mov eax, dword ptr fs:[00000030h]16_2_010CD534
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FD530 mov eax, dword ptr fs:[00000030h]16_2_010FD530
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FD530 mov eax, dword ptr fs:[00000030h]16_2_010FD530
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C8550 mov eax, dword ptr fs:[00000030h]16_2_010C8550
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C8550 mov eax, dword ptr fs:[00000030h]16_2_010C8550
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F656A mov eax, dword ptr fs:[00000030h]16_2_010F656A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F656A mov eax, dword ptr fs:[00000030h]16_2_010F656A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F656A mov eax, dword ptr fs:[00000030h]16_2_010F656A
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BB562 mov eax, dword ptr fs:[00000030h]16_2_010BB562
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FB570 mov eax, dword ptr fs:[00000030h]16_2_010FB570
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FB570 mov eax, dword ptr fs:[00000030h]16_2_010FB570
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114B594 mov eax, dword ptr fs:[00000030h]16_2_0114B594
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0114B594 mov eax, dword ptr fs:[00000030h]16_2_0114B594
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B758F mov eax, dword ptr fs:[00000030h]16_2_010B758F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B758F mov eax, dword ptr fs:[00000030h]16_2_010B758F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010B758F mov eax, dword ptr fs:[00000030h]16_2_010B758F
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F4588 mov eax, dword ptr fs:[00000030h]16_2_010F4588
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C2582 mov eax, dword ptr fs:[00000030h]16_2_010C2582
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C2582 mov ecx, dword ptr fs:[00000030h]16_2_010C2582
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE59C mov eax, dword ptr fs:[00000030h]16_2_010FE59C
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h]16_2_010E15A9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h]16_2_010E15A9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h]16_2_010E15A9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h]16_2_010E15A9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15A9 mov eax, dword ptr fs:[00000030h]16_2_010E15A9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117F5BE mov eax, dword ptr fs:[00000030h]16_2_0117F5BE
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011535BA mov eax, dword ptr fs:[00000030h]16_2_011535BA
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011535BA mov eax, dword ptr fs:[00000030h]16_2_011535BA
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011535BA mov eax, dword ptr fs:[00000030h]16_2_011535BA
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011535BA mov eax, dword ptr fs:[00000030h]16_2_011535BA
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011405A7 mov eax, dword ptr fs:[00000030h]16_2_011405A7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011405A7 mov eax, dword ptr fs:[00000030h]16_2_011405A7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011405A7 mov eax, dword ptr fs:[00000030h]16_2_011405A7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EF5B0 mov eax, dword ptr fs:[00000030h]16_2_010EF5B0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E45B1 mov eax, dword ptr fs:[00000030h]16_2_010E45B1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E45B1 mov eax, dword ptr fs:[00000030h]16_2_010E45B1
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE5CF mov eax, dword ptr fs:[00000030h]16_2_010FE5CF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE5CF mov eax, dword ptr fs:[00000030h]16_2_010FE5CF
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113D5D0 mov eax, dword ptr fs:[00000030h]16_2_0113D5D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0113D5D0 mov ecx, dword ptr fs:[00000030h]16_2_0113D5D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011935D7 mov eax, dword ptr fs:[00000030h]16_2_011935D7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011935D7 mov eax, dword ptr fs:[00000030h]16_2_011935D7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011935D7 mov eax, dword ptr fs:[00000030h]16_2_011935D7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F55C0 mov eax, dword ptr fs:[00000030h]16_2_010F55C0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_011955C9 mov eax, dword ptr fs:[00000030h]16_2_011955C9
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E95DA mov eax, dword ptr fs:[00000030h]16_2_010E95DA
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C65D0 mov eax, dword ptr fs:[00000030h]16_2_010C65D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FA5D0 mov eax, dword ptr fs:[00000030h]16_2_010FA5D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FA5D0 mov eax, dword ptr fs:[00000030h]16_2_010FA5D0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FC5ED mov eax, dword ptr fs:[00000030h]16_2_010FC5ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FC5ED mov eax, dword ptr fs:[00000030h]16_2_010FC5ED
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h]16_2_010EE5E7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h]16_2_010EE5E7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h]16_2_010EE5E7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h]16_2_010EE5E7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h]16_2_010EE5E7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h]16_2_010EE5E7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h]16_2_010EE5E7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010EE5E7 mov eax, dword ptr fs:[00000030h]16_2_010EE5E7
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010C25E0 mov eax, dword ptr fs:[00000030h]16_2_010C25E0
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h]16_2_010E15F4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h]16_2_010E15F4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h]16_2_010E15F4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h]16_2_010E15F4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h]16_2_010E15F4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E15F4 mov eax, dword ptr fs:[00000030h]16_2_010E15F4
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010E340D mov eax, dword ptr fs:[00000030h]16_2_010E340D
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01147410 mov eax, dword ptr fs:[00000030h]16_2_01147410
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F8402 mov eax, dword ptr fs:[00000030h]16_2_010F8402
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F8402 mov eax, dword ptr fs:[00000030h]16_2_010F8402
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010F8402 mov eax, dword ptr fs:[00000030h]16_2_010F8402
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BE420 mov eax, dword ptr fs:[00000030h]16_2_010BE420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BE420 mov eax, dword ptr fs:[00000030h]16_2_010BE420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BE420 mov eax, dword ptr fs:[00000030h]16_2_010BE420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010BC427 mov eax, dword ptr fs:[00000030h]16_2_010BC427
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01146420 mov eax, dword ptr fs:[00000030h]16_2_01146420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01146420 mov eax, dword ptr fs:[00000030h]16_2_01146420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01146420 mov eax, dword ptr fs:[00000030h]16_2_01146420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01146420 mov eax, dword ptr fs:[00000030h]16_2_01146420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01146420 mov eax, dword ptr fs:[00000030h]16_2_01146420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01146420 mov eax, dword ptr fs:[00000030h]16_2_01146420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_01146420 mov eax, dword ptr fs:[00000030h]16_2_01146420
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FA430 mov eax, dword ptr fs:[00000030h]16_2_010FA430
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_0117F453 mov eax, dword ptr fs:[00000030h]16_2_0117F453
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h]16_2_010CB440
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h]16_2_010CB440
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h]16_2_010CB440
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h]16_2_010CB440
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h]16_2_010CB440
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010CB440 mov eax, dword ptr fs:[00000030h]16_2_010CB440
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h]16_2_010FE443
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h]16_2_010FE443
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h]16_2_010FE443
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h]16_2_010FE443
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h]16_2_010FE443
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h]16_2_010FE443
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h]16_2_010FE443
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeCode function: 16_2_010FE443 mov eax, dword ptr fs:[00000030h]16_2_010FE443
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe"
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeMemory written: C:\Users\user\AppData\Roaming\nCPTBp.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeProcess created: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeProcess created: C:\Users\user\AppData\Roaming\nCPTBp.exe "C:\Users\user\AppData\Roaming\nCPTBp.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeQueries volume information: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeQueries volume information: C:\Users\user\AppData\Roaming\nCPTBp.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\nCPTBp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping121
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482711 Sample: JPG_TTRN101921929240724_PDA... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 11 other signatures 2->50 7 JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe 7 2->7         started        11 nCPTBp.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\nCPTBp.exe, PE32 7->36 dropped 38 C:\Users\user\...\nCPTBp.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp920A.tmp, XML 7->40 dropped 42 JPG_TTRN1019219292...392-2024-07.exe.log, ASCII 7->42 dropped 52 Adds a directory exclusion to Windows Defender 7->52 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe 7->20         started        54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 60 Injects a PE file into a foreign processes 11->60 22 schtasks.exe 1 11->22         started        24 nCPTBp.exe 11->24         started        signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 26 conhost.exe 13->26         started        28 WmiPrvSE.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 conhost.exe 22->34         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe34%VirustotalBrowse
            JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe65%ReversingLabsWin32.Trojan.Znyonm
            JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe100%AviraHEUR/AGEN.1308795
            JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\nCPTBp.exe100%AviraHEUR/AGEN.1308795
            C:\Users\user\AppData\Roaming\nCPTBp.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\nCPTBp.exe65%ReversingLabsWin32.Trojan.Znyonm
            C:\Users\user\AppData\Roaming\nCPTBp.exe34%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameJPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe, 00000001.00000002.1293693851.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, nCPTBp.exe, 00000012.00000002.1505843402.0000000002572000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1482711
            Start date and time:2024-07-26 02:35:40 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 8m 26s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:28
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@19/15@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 67
            • Number of non-executed functions: 253
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            02:36:39Task SchedulerRun new task: nCPTBp path: C:\Users\user\AppData\Roaming\nCPTBp.exe
            20:36:35API Interceptor4x Sleep call for process: JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe modified
            20:36:38API Interceptor39x Sleep call for process: powershell.exe modified
            20:36:42API Interceptor4x Sleep call for process: nCPTBp.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe.log

            Download File
            Process:C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nCPTBp.exe.log

            Download File
            Process:C:\Users\user\AppData\Roaming\nCPTBp.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:modified
            Size (bytes):2232
            Entropy (8bit):5.379401388151058
            Encrypted:false
            SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHxvIIwLgZ2KRHWLOug8s
            MD5:AF15464AFD6EB7D301162A1DC8E01662
            SHA1:A974B8FEC71BF837B8E72FE43AB43E447FC43A86
            SHA-256:103A67F6744C098E5121D2D732753DFA4B54FA0EFD918FEC3941A3C052F5E211
            SHA-512:7B5B7B7F6EAE4544BAF61F9C02BF0138950E5D7D1B0457DE2FAB2C4C484220BDD1AB42D6884838E798AD46CE1B5B5426CEB825A1690B1190857D3B643ABFAB37
            Malicious:false
            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_glgfvxai.gnl.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfi2qzmj.fh5.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkmzknnd.dj3.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmbxhxgo.axb.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdspk5hw.32y.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwe0eix0.t0z.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhvhbu5n.t4h.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4xzhacs.mmk.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\tmp920A.tmp

            Download File
            Process:C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1600
            Entropy (8bit):5.116184291206544
            Encrypted:false
            SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtDCLxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTDIv
            MD5:FFBB0EBA5D9ECF0D61FD22B64109FE49
            SHA1:FB279686F63A45330CE925E88253FC1E1043C820
            SHA-256:CC0819A4111866711CD281C3898053FBD3EE5A814641317D6F628C6A07298C66
            SHA-512:948E6392C45D14BD1E9892BD072A93E4B73E529568E36E706C765B0D889D04C97655EDC37E44CBC637A964F47679CB1662A40434E1A85E9F18219D1B3B7F407A
            Malicious:true
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

            C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp

            Download File
            Process:C:\Users\user\AppData\Roaming\nCPTBp.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1600
            Entropy (8bit):5.116184291206544
            Encrypted:false
            SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtDCLxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTDIv
            MD5:FFBB0EBA5D9ECF0D61FD22B64109FE49
            SHA1:FB279686F63A45330CE925E88253FC1E1043C820
            SHA-256:CC0819A4111866711CD281C3898053FBD3EE5A814641317D6F628C6A07298C66
            SHA-512:948E6392C45D14BD1E9892BD072A93E4B73E529568E36E706C765B0D889D04C97655EDC37E44CBC637A964F47679CB1662A40434E1A85E9F18219D1B3B7F407A
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

            C:\Users\user\AppData\Roaming\nCPTBp.exe

            Download File
            Process:C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):749568
            Entropy (8bit):7.9452461292666765
            Encrypted:false
            SSDEEP:12288:5u4SY+aZrwrUgIhrR+KuHi4cncr+y9ySrKDsyK+lPqSLjuNA1ypAZMm/fEMa:n/4rUgIhPuFccr+y9yqKDRuvW1rFfN
            MD5:C2BA6D34F3E6C6B3AF5448FD1A7796AD
            SHA1:446E5056B83D01FEC8CBD18E371C999E90338564
            SHA-256:2036747A3FDC79B8C1394E66B36AE1080AD22DB75F08DC9CF91E8FAC3DC5FE51
            SHA-512:246FBBD8E21297A90C52F62EF5DD4D4025615BE8C6016B40B65B855FE752245042505CB95D4A99895A0748D8AA0775BCE48EFE300C4E96001B064833BFE35B37
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 65%
            • Antivirus: Virustotal, Detection: 34%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.f..............0..R..........2q... ........@.. ....................................@..................................p..O.................................................................................... ............... ..H............text...8Q... ...R.................. ..`.rsrc................T..............@..@.reloc...............n..............@..B.................q......H.......@z...Q......?...X...............................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0...........s.....s.....s..........(....s......s....}.....s ...}.....{....o!.....{....o!.....(".....{.....o#.....{.....o$.....{.....o%.....{.....o&.....{......s'...o(.....{........s)...o*.....{....r...po+.....{.... .... I...s,...o-.....{.....o......r...po/.....{....o0....o1.....r1..po/.....{....o2....o3.....{..... ..s'...o(..

            C:\Users\user\AppData\Roaming\nCPTBp.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.9452461292666765
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            File size:749'568 bytes
            MD5:c2ba6d34f3e6c6b3af5448fd1a7796ad
            SHA1:446e5056b83d01fec8cbd18e371c999e90338564
            SHA256:2036747a3fdc79b8c1394e66b36ae1080ad22db75f08dc9cf91e8fac3dc5fe51
            SHA512:246fbbd8e21297a90c52f62ef5dd4d4025615be8c6016b40b65b855fe752245042505cb95d4a99895a0748d8aa0775bce48efe300c4e96001b064833bfe35b37
            SSDEEP:12288:5u4SY+aZrwrUgIhrR+KuHi4cncr+y9ySrKDsyK+lPqSLjuNA1ypAZMm/fEMa:n/4rUgIhPuFccr+y9yqKDRuvW1rFfN
            TLSH:91F4239622349F29CBBEDBF50F992704833A382E8572E75D4ED150EE1522F009F98787
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.f..............0..R..........2q... ........@.. ....................................@................................

            File Icon

            Icon Hash:27d9696969e8152b

            Static PE Info

            General

            Entrypoint:0x4b7132
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x66A05A9F [Wed Jul 24 01:36:31 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70e00x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x18d0.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xb51380xb5200f07370797630dd700d2083855444e63bFalse0.9540820177708764data7.951617880904782IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xb80000x18d00x1a00dcb947f48248911f4c217f855ada02b4False0.8070913461538461data7.295037392246778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xba0000xc0x200711af67aa5dd1d95a616c361a707afa4False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xb80c80x14b2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9250660626651567
            RT_GROUP_ICON0xb958c0x14data1.05
            RT_VERSION0xb95b00x31cdata0.44597989949748745

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:1
            Start time:20:36:35
            Start date:25/07/2024
            Path:C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
            Imagebase:0x660000
            File size:749'568 bytes
            MD5 hash:C2BA6D34F3E6C6B3AF5448FD1A7796AD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:10
            Start time:20:36:37
            Start date:25/07/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
            Imagebase:0x840000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:11
            Start time:20:36:37
            Start date:25/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff75da10000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:12
            Start time:20:36:37
            Start date:25/07/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nCPTBp.exe"
            Imagebase:0x840000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:13
            Start time:20:36:37
            Start date:25/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff75da10000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:14
            Start time:20:36:37
            Start date:25/07/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmp920A.tmp"
            Imagebase:0xe00000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:15
            Start time:20:36:37
            Start date:25/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff75da10000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:16
            Start time:20:36:38
            Start date:25/07/2024
            Path:C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-07.exe"
            Imagebase:0x4a0000
            File size:749'568 bytes
            MD5 hash:C2BA6D34F3E6C6B3AF5448FD1A7796AD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.1578419632.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:18
            Start time:20:36:40
            Start date:25/07/2024
            Path:C:\Users\user\AppData\Roaming\nCPTBp.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\nCPTBp.exe
            Imagebase:0x1a0000
            File size:749'568 bytes
            MD5 hash:C2BA6D34F3E6C6B3AF5448FD1A7796AD
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 65%, ReversingLabs
            • Detection: 34%, Virustotal, Browse
            Reputation:low
            Has exited:true

            General

            Target ID:19
            Start time:20:36:41
            Start date:25/07/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff7fb730000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:20
            Start time:20:36:44
            Start date:25/07/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCPTBp" /XML "C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp"
            Imagebase:0xe00000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:21
            Start time:20:36:44
            Start date:25/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff75da10000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:22
            Start time:20:36:45
            Start date:25/07/2024
            Path:C:\Users\user\AppData\Roaming\nCPTBp.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Roaming\nCPTBp.exe"
            Imagebase:0x860000
            File size:749'568 bytes
            MD5 hash:C2BA6D34F3E6C6B3AF5448FD1A7796AD
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:9%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:95
              Total number of Limit Nodes:10
              execution_graph 25178 cdd01c 25179 cdd034 25178->25179 25180 cdd08e 25179->25180 25183 4fa2c08 25179->25183 25192 4fa0abc 25179->25192 25185 4fa2c45 25183->25185 25184 4fa2c79 25217 4fa0be4 25184->25217 25185->25184 25187 4fa2c69 25185->25187 25201 4fa2e6c 25187->25201 25207 4fa2d91 25187->25207 25212 4fa2da0 25187->25212 25188 4fa2c77 25193 4fa0ac7 25192->25193 25194 4fa2c79 25193->25194 25196 4fa2c69 25193->25196 25195 4fa0be4 CallWindowProcW 25194->25195 25197 4fa2c77 25195->25197 25198 4fa2e6c CallWindowProcW 25196->25198 25199 4fa2da0 CallWindowProcW 25196->25199 25200 4fa2d91 CallWindowProcW 25196->25200 25198->25197 25199->25197 25200->25197 25202 4fa2e2a 25201->25202 25203 4fa2e7a 25201->25203 25221 4fa2e58 25202->25221 25224 4fa2e47 25202->25224 25204 4fa2e40 25204->25188 25209 4fa2db4 25207->25209 25208 4fa2e40 25208->25188 25210 4fa2e58 CallWindowProcW 25209->25210 25211 4fa2e47 CallWindowProcW 25209->25211 25210->25208 25211->25208 25214 4fa2db4 25212->25214 25213 4fa2e40 25213->25188 25215 4fa2e58 CallWindowProcW 25214->25215 25216 4fa2e47 CallWindowProcW 25214->25216 25215->25213 25216->25213 25218 4fa0bef 25217->25218 25219 4fa435a CallWindowProcW 25218->25219 25220 4fa4309 25218->25220 25219->25220 25220->25188 25222 4fa2e69 25221->25222 25227 4fa42a0 25221->25227 25222->25204 25225 4fa2e69 25224->25225 25226 4fa42a0 CallWindowProcW 25224->25226 25225->25204 25226->25225 25228 4fa0be4 CallWindowProcW 25227->25228 25229 4fa42aa 25228->25229 25229->25222 25230 d2d300 25231 d2d346 25230->25231 25235 d2d4e0 25231->25235 25238 d2d4da 25231->25238 25232 d2d433 25236 d2d50e 25235->25236 25241 d2ce10 25235->25241 25236->25232 25239 d2ce10 DuplicateHandle 25238->25239 25240 d2d50e 25239->25240 25240->25232 25242 d2d548 DuplicateHandle 25241->25242 25243 d2d5de 25242->25243 25243->25236 25146 d2af78 25150 d2b070 25146->25150 25158 d2b061 25146->25158 25147 d2af87 25151 d2b081 25150->25151 25153 d2b0a4 25150->25153 25151->25153 25166 d2b308 25151->25166 25170 d2b2f9 25151->25170 25152 d2b09c 25152->25153 25154 d2b2a8 GetModuleHandleW 25152->25154 25153->25147 25155 d2b2d5 25154->25155 25155->25147 25159 d2b081 25158->25159 25160 d2b0a4 25158->25160 25159->25160 25164 d2b308 LoadLibraryExW 25159->25164 25165 d2b2f9 LoadLibraryExW 25159->25165 25160->25147 25161 d2b09c 25161->25160 25162 d2b2a8 GetModuleHandleW 25161->25162 25163 d2b2d5 25162->25163 25163->25147 25164->25161 25165->25161 25167 d2b31c 25166->25167 25168 d2b341 25167->25168 25174 d2aa88 25167->25174 25168->25152 25171 d2b31c 25170->25171 25172 d2aa88 LoadLibraryExW 25171->25172 25173 d2b341 25171->25173 25172->25173 25173->25152 25175 d2b4e8 LoadLibraryExW 25174->25175 25177 d2b561 25175->25177 25177->25168 25244 d24668 25245 d2467a 25244->25245 25246 d24686 25245->25246 25248 d24779 25245->25248 25249 d2479d 25248->25249 25253 d24888 25249->25253 25257 d24878 25249->25257 25255 d248af 25253->25255 25254 d2498c 25254->25254 25255->25254 25261 d244b0 25255->25261 25259 d248af 25257->25259 25258 d2498c 25258->25258 25259->25258 25260 d244b0 CreateActCtxA 25259->25260 25260->25258 25262 d25918 CreateActCtxA 25261->25262 25264 d259db 25262->25264

              Executed Functions

              Function 04FA7020 Relevance: 3.7, Strings: 2, Instructions: 1236COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 611 4fa7020-4fa704b 612 4fa704d 611->612 613 4fa7052-4fa71ee call 4fa6868 call 4fa6878 call 4fa6888 611->613 612->613 634 4fa751f-4fa7538 613->634 635 4fa753e-4fa77d7 call 4fa6888 call 4fa6868 * 2 call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6c3c call 4fa6c4c 634->635 636 4fa71f3-4fa71fa 634->636 703 4fa77d9 635->703 704 4fa77de-4fa78ae call 4fa6c5c 635->704 637 4fa7221-4fa7232 636->637 638 4fa71fc-4fa721e 637->638 639 4fa7234-4fa7263 637->639 638->637 641 4fa726a-4fa7278 639->641 642 4fa7265 639->642 644 4fa72a5-4fa72b6 641->644 642->641 646 4fa727a-4fa72a2 644->646 647 4fa72b8-4fa72d2 644->647 646->644 649 4fa72f8-4fa7309 647->649 650 4fa730b-4fa7324 649->650 651 4fa72d4-4fa72f5 649->651 652 4fa732b-4fa7339 650->652 653 4fa7326 650->653 651->649 656 4fa735b-4fa736c 652->656 653->652 658 4fa733b-4fa7358 656->658 659 4fa736e-4fa7387 656->659 658->656 660 4fa7389 659->660 661 4fa738e-4fa73a7 659->661 660->661 663 4fa73c7-4fa73d8 661->663 664 4fa73da-4fa73f4 663->664 665 4fa73a9-4fa73c4 663->665 667 4fa7416-4fa742d 664->667 665->663 669 4fa742f-4fa7446 667->669 670 4fa73f6-4fa7413 667->670 671 4fa7477-4fa7491 669->671 670->667 673 4fa7448-4fa7471 671->673 674 4fa7493-4fa74a7 671->674 673->671 675 4fa74d8-4fa74f2 674->675 677 4fa74a9-4fa74d2 675->677 678 4fa74f4-4fa750d 675->678 677->675 679 4fa750f 678->679 680 4fa7514-4fa751c 678->680 679->680 680->634 703->704 712 4fa78b9-4fa82b7 call 4fa6c6c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6c3c call 4fa6c4c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6c3c call 4fa6c4c call 4fa6c7c call 4fa6c8c call 4fa6c9c call 4fa6cac * 6 call 4fa6cbc 704->712 824 4fa82b9-4fa82c5 712->824 825 4fa82e1 712->825 826 4fa82cf-4fa82d5 824->826 827 4fa82c7-4fa82cd 824->827 828 4fa82e7-4fa83d1 call 4fa6ccc call 4fa6cdc call 4fa6cec call 4fa6c0c call 4fa6cfc call 4fa6d0c call 4fa6d1c 825->828 829 4fa82df 826->829 827->829 829->828
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1309819826.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4fa0000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Ppq$$Aq
              • API String ID: 0-1612623262
              • Opcode ID: f474274a07837b5af1c334cb2ca34025082738c2617463889aa9e588e152bf40
              • Instruction ID: 9922fc570bd962ac3804964753983dd6737ee5e1cfb406f6d443a69af727536b
              • Opcode Fuzzy Hash: f474274a07837b5af1c334cb2ca34025082738c2617463889aa9e588e152bf40
              • Instruction Fuzzy Hash: 44C2C374A01219CFDB64DF68C884AD9B7B2FF89305F1591E9E449AB361DB30AE85CF40
              Function 04FA7010 Relevance: 3.5, Strings: 2, Instructions: 971COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 847 4fa7010-4fa704b 848 4fa704d 847->848 849 4fa7052-4fa70e8 847->849 848->849 854 4fa70f2-4fa70fe call 4fa6868 849->854 856 4fa7103-4fa714c call 4fa6878 854->856 862 4fa7156-4fa7162 call 4fa6888 856->862 864 4fa7167-4fa71ee 862->864 870 4fa751f-4fa7538 864->870 871 4fa753e-4fa7607 call 4fa6888 call 4fa6868 * 2 870->871 872 4fa71f3-4fa71fa 870->872 918 4fa7612-4fa762c call 4fa6898 871->918 873 4fa7221-4fa7232 872->873 874 4fa71fc-4fa721e 873->874 875 4fa7234-4fa7263 873->875 874->873 877 4fa726a-4fa7278 875->877 878 4fa7265 875->878 880 4fa72a5-4fa72b6 877->880 878->877 882 4fa727a-4fa72a2 880->882 883 4fa72b8-4fa72d2 880->883 882->880 885 4fa72f8-4fa7309 883->885 886 4fa730b-4fa7324 885->886 887 4fa72d4-4fa72f5 885->887 888 4fa732b-4fa7339 886->888 889 4fa7326 886->889 887->885 892 4fa735b-4fa736c 888->892 889->888 894 4fa733b-4fa7358 892->894 895 4fa736e-4fa7387 892->895 894->892 896 4fa7389 895->896 897 4fa738e-4fa73a7 895->897 896->897 899 4fa73c7-4fa73d8 897->899 900 4fa73da-4fa73f4 899->900 901 4fa73a9-4fa73c4 899->901 903 4fa7416-4fa742d 900->903 901->899 905 4fa742f-4fa7446 903->905 906 4fa73f6-4fa7413 903->906 907 4fa7477-4fa7491 905->907 906->903 909 4fa7448-4fa7471 907->909 910 4fa7493-4fa74a7 907->910 909->907 911 4fa74d8-4fa74f2 910->911 913 4fa74a9-4fa74d2 911->913 914 4fa74f4-4fa750d 911->914 913->911 915 4fa750f 914->915 916 4fa7514-4fa751c 914->916 915->916 916->870 920 4fa7631-4fa76e2 call 4fa6c0c 918->920 925 4fa76ec-4fa7706 call 4fa6c1c 920->925 927 4fa770b-4fa771c call 4fa6c2c 925->927 929 4fa7721-4fa7736 927->929 930 4fa773b-4fa779c call 4fa6c3c call 4fa6c4c 929->930 936 4fa77a1-4fa77c1 930->936 938 4fa77c7-4fa77d7 936->938 939 4fa77d9 938->939 940 4fa77de-4fa7885 call 4fa6c5c 938->940 939->940 947 4fa7890-4fa78ae 940->947 948 4fa78b9-4fa82b7 call 4fa6c6c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6c3c call 4fa6c4c call 4fa6898 call 4fa6c0c call 4fa6c1c call 4fa6c2c call 4fa6c3c call 4fa6c4c call 4fa6c7c call 4fa6c8c call 4fa6c9c call 4fa6cac * 6 call 4fa6cbc 947->948 1060 4fa82b9-4fa82c5 948->1060 1061 4fa82e1 948->1061 1062 4fa82cf-4fa82d5 1060->1062 1063 4fa82c7-4fa82cd 1060->1063 1064 4fa82e7-4fa83d1 call 4fa6ccc call 4fa6cdc call 4fa6cec call 4fa6c0c call 4fa6cfc call 4fa6d0c call 4fa6d1c 1061->1064 1065 4fa82df 1062->1065 1063->1065 1065->1064
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1309819826.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4fa0000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Ppq$$Aq
              • API String ID: 0-1612623262
              • Opcode ID: fd43e1337101f420882af24534be499c8f2e90b12e373da354418c13cf15e442
              • Instruction ID: 699240df7e1b8f2dafea19cb9c2742a5641bec2331a50acedef0e53a0a8585fe
              • Opcode Fuzzy Hash: fd43e1337101f420882af24534be499c8f2e90b12e373da354418c13cf15e442
              • Instruction Fuzzy Hash: 43A2C234A007198FDB64EB64C884AD9B7B1FF89305F1586E9E449AB360DB71AEC5CF40
              Function 04FA5A58 Relevance: .2, Instructions: 172COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1309819826.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4fa0000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b48935ea3c15942976a2d87a24ba098fd5d778287ef49620936893666d32fca
              • Instruction ID: b3a970e14eb7dba78b9d804b24257f35efe3f5926f4c1ca638f126176cae5bcc
              • Opcode Fuzzy Hash: 6b48935ea3c15942976a2d87a24ba098fd5d778287ef49620936893666d32fca
              • Instruction Fuzzy Hash: A36144B0E10319DFDB04EFA4C9909DEBBF2EF89304B655169E405AF264EB30AD56CB50
              Function 00D2B070 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1310 d2b070-d2b07f 1311 d2b081-d2b08e call d2aa24 1310->1311 1312 d2b0ab-d2b0af 1310->1312 1317 d2b090 1311->1317 1318 d2b0a4 1311->1318 1314 d2b0c3-d2b104 1312->1314 1315 d2b0b1-d2b0bb 1312->1315 1321 d2b111-d2b11f 1314->1321 1322 d2b106-d2b10e 1314->1322 1315->1314 1365 d2b096 call d2b308 1317->1365 1366 d2b096 call d2b2f9 1317->1366 1318->1312 1323 d2b143-d2b145 1321->1323 1324 d2b121-d2b126 1321->1324 1322->1321 1329 d2b148-d2b14f 1323->1329 1326 d2b131 1324->1326 1327 d2b128-d2b12f call d2aa30 1324->1327 1325 d2b09c-d2b09e 1325->1318 1328 d2b1e0-d2b2a0 1325->1328 1331 d2b133-d2b141 1326->1331 1327->1331 1360 d2b2a2-d2b2a5 1328->1360 1361 d2b2a8-d2b2d3 GetModuleHandleW 1328->1361 1332 d2b151-d2b159 1329->1332 1333 d2b15c-d2b163 1329->1333 1331->1329 1332->1333 1335 d2b170-d2b179 call d2aa40 1333->1335 1336 d2b165-d2b16d 1333->1336 1341 d2b186-d2b18b 1335->1341 1342 d2b17b-d2b183 1335->1342 1336->1335 1343 d2b1a9-d2b1b6 1341->1343 1344 d2b18d-d2b194 1341->1344 1342->1341 1351 d2b1b8-d2b1d6 1343->1351 1352 d2b1d9-d2b1df 1343->1352 1344->1343 1346 d2b196-d2b1a6 call d2aa50 call d2aa60 1344->1346 1346->1343 1351->1352 1360->1361 1362 d2b2d5-d2b2db 1361->1362 1363 d2b2dc-d2b2f0 1361->1363 1362->1363 1365->1325 1366->1325
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 00D2B2C6
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 36069d25ec46442edf731136938382b1fd91aa1e3f9092b2fb593a4dec8b23f0
              • Instruction ID: 087357ac57da23fa5bea86cdcc51880b95261bd8231d48a3ccf0ad5d457c6c8e
              • Opcode Fuzzy Hash: 36069d25ec46442edf731136938382b1fd91aa1e3f9092b2fb593a4dec8b23f0
              • Instruction Fuzzy Hash: 98718770A00B158FD724DF29E45175ABBF1FF88318F04892ED48ACBA50D7B5E846CBA1
              Function 04FA0BE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1367 4fa0be4-4fa42fc 1370 4fa43ac-4fa43cc call 4fa0abc 1367->1370 1371 4fa4302-4fa4307 1367->1371 1378 4fa43cf-4fa43dc 1370->1378 1372 4fa435a-4fa4392 CallWindowProcW 1371->1372 1373 4fa4309-4fa4340 1371->1373 1376 4fa439b-4fa43aa 1372->1376 1377 4fa4394-4fa439a 1372->1377 1380 4fa4349-4fa4358 1373->1380 1381 4fa4342-4fa4348 1373->1381 1376->1378 1377->1376 1380->1378 1381->1380
              APIs
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04FA4381
              Memory Dump Source
              • Source File: 00000001.00000002.1309819826.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4fa0000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: CallProcWindow
              • String ID:
              • API String ID: 2714655100-0
              • Opcode ID: a6e4ab36a056c23c010cf290b54428dec998e003da427248e8427c001371f489
              • Instruction ID: a073ea72de48719fa3993a122cda12aae268899e9d0bb7a8c8ce231a5189ce21
              • Opcode Fuzzy Hash: a6e4ab36a056c23c010cf290b54428dec998e003da427248e8427c001371f489
              • Instruction Fuzzy Hash: 5D412AB59003099FDB14CF99C448AAABBF5FB88314F24C459D419AB321D774A842CFA1
              Function 00D244B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1384 d244b0-d259d9 CreateActCtxA 1387 d259e2-d25a3c 1384->1387 1388 d259db-d259e1 1384->1388 1395 d25a4b-d25a4f 1387->1395 1396 d25a3e-d25a41 1387->1396 1388->1387 1397 d25a60 1395->1397 1398 d25a51-d25a5d 1395->1398 1396->1395 1400 d25a61 1397->1400 1398->1397 1400->1400
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00D259C9
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 6d875df22a13c9994bdba887129fae6e52d8096fe4d586f5675cae4e110ed981
              • Instruction ID: 5352c26e061e538b425560122cb54231a9a2223ed4859e06f55e98d47a5e5eda
              • Opcode Fuzzy Hash: 6d875df22a13c9994bdba887129fae6e52d8096fe4d586f5675cae4e110ed981
              • Instruction Fuzzy Hash: 4A41F370C0072DCBEB24DFA9D845B8DBBF5BF48314F20816AD408AB255DB756946CFA0
              Function 00D2590D Relevance: 1.6, APIs: 1, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1401 d2590d-d25913 1402 d2591c-d259d9 CreateActCtxA 1401->1402 1404 d259e2-d25a3c 1402->1404 1405 d259db-d259e1 1402->1405 1412 d25a4b-d25a4f 1404->1412 1413 d25a3e-d25a41 1404->1413 1405->1404 1414 d25a60 1412->1414 1415 d25a51-d25a5d 1412->1415 1413->1412 1417 d25a61 1414->1417 1415->1414 1417->1417
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00D259C9
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 9b6e8615c21b5c2d57236ab61ef842aa1c5646e7cbf7f83bf02bb394d0d53de5
              • Instruction ID: 6e36e6706cd1b1860c514ea91f4a31a3b0bf38fb9cbccf33501bf497f189c8f8
              • Opcode Fuzzy Hash: 9b6e8615c21b5c2d57236ab61ef842aa1c5646e7cbf7f83bf02bb394d0d53de5
              • Instruction Fuzzy Hash: F941F170C00729CBEB24DFA9D885B8DBBF1BF48304F24815AD418AB255DB756946CF50
              Function 00D2CE10 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1418 d2ce10-d2d5dc DuplicateHandle 1420 d2d5e5-d2d602 1418->1420 1421 d2d5de-d2d5e4 1418->1421 1421->1420
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D2D50E,?,?,?,?,?), ref: 00D2D5CF
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: b05c496e47735fbbdee89c9ad05ea41633b0f0b317f9f43fa60f3221e79c2327
              • Instruction ID: 3ffd384507667a73eaf0ca325bc5d102ccbbd3d8ef53b98c414aeaa36a5f47bb
              • Opcode Fuzzy Hash: b05c496e47735fbbdee89c9ad05ea41633b0f0b317f9f43fa60f3221e79c2327
              • Instruction Fuzzy Hash: 8521E3B5D002589FDB10CF9AD884AEEBBF9EB48314F14841AE914A3350D379A941CFA5
              Function 00D2D540 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1424 d2d540-d2d5dc DuplicateHandle 1425 d2d5e5-d2d602 1424->1425 1426 d2d5de-d2d5e4 1424->1426 1426->1425
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D2D50E,?,?,?,?,?), ref: 00D2D5CF
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: f6d0514441939b1c8140b32dd3954c58f90ac440d2a87cf90f780beec86b2716
              • Instruction ID: 6f9c4ff716a19bb230ffb788ad4f1417ac2e995f2a10338cbb50e4119ac2cc6a
              • Opcode Fuzzy Hash: f6d0514441939b1c8140b32dd3954c58f90ac440d2a87cf90f780beec86b2716
              • Instruction Fuzzy Hash: C921E4B5D002589FDB10CF9AD884BDEBBF5FB48314F14841AE918A3351D375A945CFA4
              Function 00D2AA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1429 d2aa88-d2b528 1431 d2b530-d2b55f LoadLibraryExW 1429->1431 1432 d2b52a-d2b52d 1429->1432 1433 d2b561-d2b567 1431->1433 1434 d2b568-d2b585 1431->1434 1432->1431 1433->1434
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00D2B341,00000800,00000000,00000000), ref: 00D2B552
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 115df922714a1bcac2a0f3872b864a63c75a4e483e11791d7b5e2b1b95c1ad03
              • Instruction ID: 5f2e04b7b928aa172c2d5b45676eac580379261be43fce1b862760e67f14ca6c
              • Opcode Fuzzy Hash: 115df922714a1bcac2a0f3872b864a63c75a4e483e11791d7b5e2b1b95c1ad03
              • Instruction Fuzzy Hash: 561117B6C003499FDB20DF9AD444B9EFBF4EB58324F14842AD519A7200C3B5A945CFA4
              Function 00D2B4E1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1437 d2b4e1-d2b528 1439 d2b530-d2b55f LoadLibraryExW 1437->1439 1440 d2b52a-d2b52d 1437->1440 1441 d2b561-d2b567 1439->1441 1442 d2b568-d2b585 1439->1442 1440->1439 1441->1442
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00D2B341,00000800,00000000,00000000), ref: 00D2B552
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: aa6f5b242bd642eeef474508de8bf75e94ce08b1b2ecc4d126fde6b4ee722796
              • Instruction ID: 0f5de821efbeab635987ac04340ac1f54400324609619e9f3fe9cd9669610021
              • Opcode Fuzzy Hash: aa6f5b242bd642eeef474508de8bf75e94ce08b1b2ecc4d126fde6b4ee722796
              • Instruction Fuzzy Hash: E211E4B6C003499FDB20CF9AD444BDEFBF8EB58324F14842AD919A7200D7B5A945CFA5
              Function 00D2B259 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 00D2B2C6
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 5185a2e3c284829aad42b185220ade913bedf527508b2a58dc8ec026751c7201
              • Instruction ID: 1f58daf31eeb5383c2af8660146a54026f2637b30ea99be7d80a0ab405fff1d5
              • Opcode Fuzzy Hash: 5185a2e3c284829aad42b185220ade913bedf527508b2a58dc8ec026751c7201
              • Instruction Fuzzy Hash: 4811F0B5C003498FDB10DF9AD444A9EFBF4EF88324F14841AD828A7210D3B5A546CFA5
              Function 00D2B260 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 00D2B2C6
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: fb2e8c862979b1ede1f833d6b4288875156f167f3e1747959a4e35fd5f489236
              • Instruction ID: 6fddcf2fdd447db48e687f37201a4a862dd31b1fce265d5e500590151a547fc5
              • Opcode Fuzzy Hash: fb2e8c862979b1ede1f833d6b4288875156f167f3e1747959a4e35fd5f489236
              • Instruction Fuzzy Hash: 0211D2B5C003598FDB10DF9AD444A9EFBF4EF88324F14851AD419A7610C375A545CFA5
              Function 00CCD3D8 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1290873640.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_ccd000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58dd88ee751252ad452e5a083c0f6ae1c5fbde54f33ba3d5cedaab07157b6949
              • Instruction ID: 0b003c055586eb1fc17d8b82f1072a3c28f47b0d0bfca4e55b31795b977a9122
              • Opcode Fuzzy Hash: 58dd88ee751252ad452e5a083c0f6ae1c5fbde54f33ba3d5cedaab07157b6949
              • Instruction Fuzzy Hash: 7C210671504304DFDB18DF10D9C0F16BB65FB94324F24C17DEA0A0B256C336E856CAA2
              Function 00CDD01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1291035071.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_cdd000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0187ac22bbbde21e5052d1c37abd01bfc3e3d52131349e5261ce32b00f8bec71
              • Instruction ID: e6bddc9d7781a67f47a6a38fb6f83ee67ac6cad75d639c077b8fdb0a3d1f4899
              • Opcode Fuzzy Hash: 0187ac22bbbde21e5052d1c37abd01bfc3e3d52131349e5261ce32b00f8bec71
              • Instruction Fuzzy Hash: 1421F575A04300DFDB14DF14D9C4B16BB65EBC4314F24C56EDA4A4B386C336E847CA62
              Function 00CDD1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1291035071.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_cdd000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2950a0c80a9ebdd1a07f6d14c7966056a6bb18b8ca190f28ed9fc0ce45ddaabc
              • Instruction ID: 383a2474c6cd09a299b97f9c61ee54d862bb32d3e5c671f47efa9524e6b30c9c
              • Opcode Fuzzy Hash: 2950a0c80a9ebdd1a07f6d14c7966056a6bb18b8ca190f28ed9fc0ce45ddaabc
              • Instruction Fuzzy Hash: BF210471A04300EFDB15DF10D9C0B26BBA5FB84314F20C6AEEA4A4B392C336DC46CA61
              Function 00CDD005 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1291035071.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_cdd000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5b2b036c4b0c596cf8ffbb23b22fb655d56c806725f1cb4b621389586a49afe
              • Instruction ID: d9958f192cd0638265974247ec61303289fa037d3247e962521b7b880be09b0b
              • Opcode Fuzzy Hash: f5b2b036c4b0c596cf8ffbb23b22fb655d56c806725f1cb4b621389586a49afe
              • Instruction Fuzzy Hash: DD218E755093808FCB12CF24D990715BF71EB86314F28C5EBD9498B6A7C33A980ACB62
              Function 00CCD3D3 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1290873640.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_ccd000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
              • Instruction ID: 649608a66c4524f57974eb4d8aff2f0b728d142f1d18880a2497babe7621ca37
              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
              • Instruction Fuzzy Hash: D7110376504240DFCB05CF00D9C0B16BF72FB94324F24C2ADD90A0B256C33AE956CBA1
              Function 00CDD1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1291035071.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_cdd000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
              • Instruction ID: 791a51dc5978920f1ac96ccc6325244ee39fc8b2daa24056e62428308ab8b0d9
              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
              • Instruction Fuzzy Hash: F311A975904280DFCB05DF10C5C0B15FBA2FB84324F24C6AAD94A4B796C33AD84ACB61

              Non-executed Functions

              Function 04FA0040 Relevance: .3, Instructions: 315COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1309819826.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4fa0000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eefa6adb18ab24b7c6203f3cbf7c9ff3f80f17c47464a870029d58af02da27b
              • Instruction ID: 6df8fa49d94a510c45d2c233de048cce1f031fc7885810d67a9066cea4126f7c
              • Opcode Fuzzy Hash: 7eefa6adb18ab24b7c6203f3cbf7c9ff3f80f17c47464a870029d58af02da27b
              • Instruction Fuzzy Hash: B11275B1402B498EE330EF65EC4E2893AB1B785314F51430DD2E25AAE9D7BE1547CF84
              Function 00D2DEA4 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1291292851.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_d20000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3b16721a0e0dafed9ee47e3db0445d62d9d0433ef0a22cc4d6f23e047746100
              • Instruction ID: 0ce9fd6268852f8f26d22c3be0549edb2438b7eb4448a9544e38915b6f81bc5f
              • Opcode Fuzzy Hash: b3b16721a0e0dafed9ee47e3db0445d62d9d0433ef0a22cc4d6f23e047746100
              • Instruction Fuzzy Hash: 62A19032E002198FCF15DFB4E94459EB7B2FF94304B25457AE806AB265DB71E906CF60
              Function 04FA001C Relevance: .2, Instructions: 231COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1309819826.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_4fa0000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1722f96e385c417c48f20f2f578d5089788b7734b43b24fba2328b37b1844370
              • Instruction ID: 8c85b0abd6ad1c1d538628de0bb7f9ef448688c55c2492b8a573932db86a6c8b
              • Opcode Fuzzy Hash: 1722f96e385c417c48f20f2f578d5089788b7734b43b24fba2328b37b1844370
              • Instruction Fuzzy Hash: E5C1C6B1802B498FD730DF65EC4A2897BB1BB85314F51430DD2A16BAD9DBBA144BCF84

              Execution Graph

              Execution Coverage:0.9%
              Dynamic/Decrypted Code Coverage:5.2%
              Signature Coverage:9.3%
              Total number of Nodes:97
              Total number of Limit Nodes:8
              execution_graph 81876 42f3d3 81877 42f343 81876->81877 81878 42f3a0 81877->81878 81882 42e283 81877->81882 81880 42f37d 81881 42e1a3 RtlFreeHeap 81880->81881 81881->81878 81885 42c483 81882->81885 81884 42e29e 81884->81880 81886 42c49d 81885->81886 81887 42c4ab RtlAllocateHeap 81886->81887 81887->81884 81888 424b93 81889 424baf 81888->81889 81890 424bd7 81889->81890 81891 424beb 81889->81891 81893 42c183 NtClose 81890->81893 81892 42c183 NtClose 81891->81892 81894 424bf4 81892->81894 81895 424be0 81893->81895 81898 42e2c3 RtlAllocateHeap 81894->81898 81897 424bff 81898->81897 81899 424f23 81903 424f3c 81899->81903 81900 424f87 81901 42e1a3 RtlFreeHeap 81900->81901 81902 424f97 81901->81902 81903->81900 81904 424fc7 81903->81904 81906 424fcc 81903->81906 81905 42e1a3 RtlFreeHeap 81904->81905 81905->81906 81907 42f2a3 81908 42f2b3 81907->81908 81909 42f2b9 81907->81909 81910 42e283 RtlAllocateHeap 81909->81910 81911 42f2df 81910->81911 81917 42b7f3 81918 42b80d 81917->81918 81921 1102df0 LdrInitializeThunk 81918->81921 81919 42b832 81921->81919 81794 414003 81795 414023 81794->81795 81797 41408c 81795->81797 81799 41b6c3 RtlFreeHeap LdrInitializeThunk 81795->81799 81798 414082 81799->81798 81800 417f03 81801 417f27 81800->81801 81802 417f63 LdrLoadDll 81801->81802 81803 417f2e 81801->81803 81802->81803 81804 401c48 81805 401c4e 81804->81805 81808 42f773 81805->81808 81811 42dd63 81808->81811 81812 42dd89 81811->81812 81821 4077a3 81812->81821 81814 42dd9f 81820 401cc9 81814->81820 81824 41b3f3 81814->81824 81816 42ddbe 81817 42ddd3 81816->81817 81818 42c513 ExitProcess 81816->81818 81835 42c513 81817->81835 81818->81817 81823 4077b0 81821->81823 81838 416bd3 81821->81838 81823->81814 81825 41b41f 81824->81825 81862 41b2e3 81825->81862 81828 41b464 81832 42c183 NtClose 81828->81832 81833 41b480 81828->81833 81829 41b44c 81831 41b457 81829->81831 81868 42c183 81829->81868 81831->81816 81834 41b476 81832->81834 81833->81816 81834->81816 81836 42c530 81835->81836 81837 42c53e ExitProcess 81836->81837 81837->81820 81839 416bed 81838->81839 81841 416c03 81839->81841 81842 42cb83 81839->81842 81841->81823 81843 42cb9d 81842->81843 81844 42cbcc 81843->81844 81849 42b843 81843->81849 81844->81841 81850 42b85d 81849->81850 81856 1102c0a 81850->81856 81851 42b886 81853 42e1a3 81851->81853 81859 42c4c3 81853->81859 81855 42cc36 81855->81841 81857 1102c11 81856->81857 81858 1102c1f LdrInitializeThunk 81856->81858 81857->81851 81858->81851 81860 42c4e0 81859->81860 81861 42c4ee RtlFreeHeap 81860->81861 81861->81855 81863 41b2fd 81862->81863 81867 41b3d9 81862->81867 81871 42b8e3 81863->81871 81866 42c183 NtClose 81866->81867 81867->81828 81867->81829 81869 42c1a0 81868->81869 81870 42c1ae NtClose 81869->81870 81870->81831 81872 42b900 81871->81872 81875 11035c0 LdrInitializeThunk 81872->81875 81873 41b3cd 81873->81866 81875->81873

              Executed Functions

              Function 00417F03 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 32 417f03-417f1f 33 417f27-417f2c 32->33 34 417f22 call 42eea3 32->34 35 417f32-417f40 call 42f3e3 33->35 36 417f2e-417f31 33->36 34->33 39 417f50-417f61 call 42d853 35->39 40 417f42-417f4d call 42f683 35->40 45 417f63-417f77 LdrLoadDll 39->45 46 417f7a-417f7d 39->46 40->39 45->46
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417F75
              Memory Dump Source
              • Source File: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_400000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: ecfa23be914e393e23f106888a1f0f82723e280c233a546a197c55c63c917e30
              • Instruction ID: 52894ac609b363dfe8e34aa8ce9d98bcf90d8a340afb7c871bc1ba0578cea2bc
              • Opcode Fuzzy Hash: ecfa23be914e393e23f106888a1f0f82723e280c233a546a197c55c63c917e30
              • Instruction Fuzzy Hash: 26015EB5E0020DABDB10DBE5DC42FDEB7789B14308F4081AAF90897240F634EB49CB95
              Function 0042C183 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 52 42c183-42c1bc call 404ac3 call 42d363 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C1B7
              Memory Dump Source
              • Source File: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_400000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 695342d6fcfc70f7a2a8c5c55d6bc349da09463a95698ededbb1bfdfce459fbc
              • Instruction ID: 1406b7c11e7ea85a1f54c4b7c31419b200e3678adac796b4bcc3bc12ea42cd85
              • Opcode Fuzzy Hash: 695342d6fcfc70f7a2a8c5c55d6bc349da09463a95698ededbb1bfdfce459fbc
              • Instruction Fuzzy Hash: 36E086752503147BC520FB5AEC41F9BB75CEFC5714F40401AFA0867145C6B1B90187F5
              Function 011035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 68 11035c0-11035cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 243f437fd13e197d57897f8e78dc2229ca4981a93fad5f86683242223b1897a0
              • Instruction ID: 55df88d00419f574049992b3107e915872bca788882001add47234a10ace856d
              • Opcode Fuzzy Hash: 243f437fd13e197d57897f8e78dc2229ca4981a93fad5f86683242223b1897a0
              • Instruction Fuzzy Hash: 5390023264550403D10471585614706600597D1201F65C421A0425568DC7958A5166A2
              Function 01102DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 67 1102df0-1102dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 5d9a15aca7a36438eb376c6fb6c13252becdbb6ea120c165e6ce8087ae58d6c2
              • Instruction ID: 39b11356add0c70f76e2829180d6813ab33b9a01751b46f48a692bb2d15c2d5c
              • Opcode Fuzzy Hash: 5d9a15aca7a36438eb376c6fb6c13252becdbb6ea120c165e6ce8087ae58d6c2
              • Instruction Fuzzy Hash: 1390023224140413D11571585604707500997D1241F95C422A0425558DD7568A52A221
              Function 01102C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 66 1102c70-1102c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 19075f9873a5780692e6441f285d5579ced662d4f631586fe0f860834abf7306
              • Instruction ID: 909fc2b4ca3a4550b39ab19aeeb864a5ab6787f159b2023eaaf7fb7357fa332a
              • Opcode Fuzzy Hash: 19075f9873a5780692e6441f285d5579ced662d4f631586fe0f860834abf7306
              • Instruction Fuzzy Hash: B390023224148803D1147158950474A500597D1301F59C421A4425658DC79589917221
              Function 0042C4C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 42c4c3-42c504 call 404ac3 call 42d363 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FFFFFFFF,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C4FF
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_400000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: XlA
              • API String ID: 3298025750-1434317751
              • Opcode ID: 568c8717203c7ce8ee1bf0d430a7818271d75e94255365c96f208bef65f70f5f
              • Instruction ID: dc0839e8bd8b35c13f506b23266f3e5c75e06da36b16d5f80691e8fe70cfaa1e
              • Opcode Fuzzy Hash: 568c8717203c7ce8ee1bf0d430a7818271d75e94255365c96f208bef65f70f5f
              • Instruction Fuzzy Hash: 79E092722002047BC710EE49EC41F9B77ACEFC4714F00441AFD08A7281D674B910CBB8
              Function 0042C483 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 47 42c483-42c4c1 call 404ac3 call 42d363 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E80B,?,?,00000000,?,0041E80B,?,?,?), ref: 0042C4BC
              Memory Dump Source
              • Source File: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_400000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 8cb5df75238b3ffcc9387eed0ba503bf3bc6e513969f8611e07746e9c2187fa0
              • Instruction ID: d553040956c433ae90f2f4db8ba142a6e67ce38f1addeb7425e1b814bbe7e771
              • Opcode Fuzzy Hash: 8cb5df75238b3ffcc9387eed0ba503bf3bc6e513969f8611e07746e9c2187fa0
              • Instruction Fuzzy Hash: C4E09AB26542047BCA10EE49EC41EEF73ACEFC8B10F404419FE08A7282C674B9108BB8
              Function 0042C513 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 57 42c513-42c54c call 404ac3 call 42d363 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000010.00000002.1578037000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_400000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 94a3865c648da0480397039bcfe20a964dfd432c28c69e36e7ba02e8e53160c5
              • Instruction ID: 16569107f3d9d4b15e208fa116873214dba8d787fe3e3ba427b14de8444d8d83
              • Opcode Fuzzy Hash: 94a3865c648da0480397039bcfe20a964dfd432c28c69e36e7ba02e8e53160c5
              • Instruction Fuzzy Hash: 24E086722402147BD520FB5ADC41F9B776CDFC5714F40841AFE0867141CA70B90187F8
              Function 01102C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 62 1102c0a-1102c0f 63 1102c11-1102c18 62->63 64 1102c1f-1102c26 LdrInitializeThunk 62->64
              APIs
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 34271d13c2c1128d0679c8ec2b9e1848096a999c70827aa7eba769305cb73600
              • Instruction ID: 667783eb17faf009446a6db66f3c8b2c6db4a6e8c89cde7a9fb29c8e752d30ae
              • Opcode Fuzzy Hash: 34271d13c2c1128d0679c8ec2b9e1848096a999c70827aa7eba769305cb73600
              • Instruction Fuzzy Hash: 7BB09B72D415C5C6DA16E764570C717790077D1701F25C075D2030685F8778C1D1E275

              Non-executed Functions

              Function 01142349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: f46e99cf4fdf0eb45a3bb949723dfab489fe2a0faeedccf5df6fc5c066d87870
              • Instruction ID: 72d9557832db58db8c063178876e12c19de97fd84b5f83d3155cb4c81a1a36cd
              • Opcode Fuzzy Hash: f46e99cf4fdf0eb45a3bb949723dfab489fe2a0faeedccf5df6fc5c066d87870
              • Instruction Fuzzy Hash: 17928E71604742AFE729DF19D880FABB7E8BB84B54F04492DFA94D7250D770E884CB92
              Function 011712ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
              • API String ID: 0-3591852110
              • Opcode ID: b4932560ccd660fd95f5c675f58ea2ee4c6322c409bda6dff980d770fc1de64e
              • Instruction ID: d7c678e6063834e3a0dc4476bced493cb25083ae49a17a14d236ca5633c0c96a
              • Opcode Fuzzy Hash: b4932560ccd660fd95f5c675f58ea2ee4c6322c409bda6dff980d770fc1de64e
              • Instruction Fuzzy Hash: 5A128B30604642EFEB2A8F29C495BBABBF1FF0A714F198459E5C68B741D734E880CB51
              Function 010BD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
              • API String ID: 0-3532704233
              • Opcode ID: 1c93c3f0874de16d621f929daf9007c8233bfe03c55696333ccecdbec70756cb
              • Instruction ID: a5355ed92008df91c0da74541e5e34c3c568304ac2c4e4ebbe6ce6623528bc5b
              • Opcode Fuzzy Hash: 1c93c3f0874de16d621f929daf9007c8233bfe03c55696333ccecdbec70756cb
              • Instruction Fuzzy Hash: 17B1BC719093469FC725DF68C480AAFFBE8AF88718F05492EF9C8D7240D774D9488B92
              Function 01159179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
              • API String ID: 0-3063724069
              • Opcode ID: 55fd98854b0a82fcabc1724b42023fac67e8184f8837b42ee322e239e516f0ca
              • Instruction ID: 4e6d93cf37b70abcfa5ab41091062a525c76e4c1bec31172c99175c34763bdef
              • Opcode Fuzzy Hash: 55fd98854b0a82fcabc1724b42023fac67e8184f8837b42ee322e239e516f0ca
              • Instruction Fuzzy Hash: 82D1D5B280431AEFD765DB54C880BAFBBE8AF94718F444929FE9497150E770C948C7A3
              Function 01170274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 913e91e08bd327354fb8c64b9d080e45a18862b6335b94b7e6402fffdc64b029
              • Instruction ID: ffc2855d4cdd807b773d4aaf49c85acf61b3be01ff40185fd86a117b11f2db48
              • Opcode Fuzzy Hash: 913e91e08bd327354fb8c64b9d080e45a18862b6335b94b7e6402fffdc64b029
              • Instruction Fuzzy Hash: C6D1EC31600786EFDB2ADF69C490AA9BBF1FF4A704F188059F4869B752C734E980CB14
              Function 010BD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 010BD146
              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 010BD0CF
              • @, xrefs: 010BD313
              • Control Panel\Desktop\LanguageConfiguration, xrefs: 010BD196
              • @, xrefs: 010BD0FD
              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 010BD262
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 010BD2C3
              • @, xrefs: 010BD2AF
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
              • API String ID: 0-1356375266
              • Opcode ID: 2e157f75e7ea2525bc63c7ce897ab9352bbaf1fb94c8126794740c9c24975c21
              • Instruction ID: 7a97ef9be4e1d50a4e75291a11d429f1f291c8cdcea80377eab51beac17d611f
              • Opcode Fuzzy Hash: 2e157f75e7ea2525bc63c7ce897ab9352bbaf1fb94c8126794740c9c24975c21
              • Instruction Fuzzy Hash: E0A14B719083469FD722DF65C484B9BFBE8BF98729F00492EEA8897241D774D908CF52
              Function 010BF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-523794902
              • Opcode ID: 76ab8d1ab1c39e9c78dff83f67177eb9fe8b66dfc6b1d614a7be07abe2aba207
              • Instruction ID: ab41afab0d8276e7ed77d3cc10c9b761fd4ad2bec8ed1aaacd5561a2ededf3bc
              • Opcode Fuzzy Hash: 76ab8d1ab1c39e9c78dff83f67177eb9fe8b66dfc6b1d614a7be07abe2aba207
              • Instruction Fuzzy Hash: 0242E0712093829FD71ADF28C884BAABBE5FF88704F08496DE9D58B351DB34D941CB52
              Function 010DB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
              • API String ID: 0-122214566
              • Opcode ID: 1fa6cd212003981da4028a2c9ad4028bd687fddff49d706e9e25faa3b2284fdf
              • Instruction ID: a41ee5b841e582779684075e8dc7a873b89a590b9c3bdcf3050b752b1fd07851
              • Opcode Fuzzy Hash: 1fa6cd212003981da4028a2c9ad4028bd687fddff49d706e9e25faa3b2284fdf
              • Instruction Fuzzy Hash: D9C16B31A003569BDF298F68C891BBEBBE5BF46314F15806DED819B291DB74CC44D391
              Function 010F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 96cc3ae89819b2a3b3cb3ca513110bf9417558e95d8a9a3fddb5d45f43974e39
              • Instruction ID: bb122d0767eed827f1255b902a931de53011330c9a34c4de2877a98cbd88fb2b
              • Opcode Fuzzy Hash: 96cc3ae89819b2a3b3cb3ca513110bf9417558e95d8a9a3fddb5d45f43974e39
              • Instruction Fuzzy Hash: 12915D30B017119BDB3DEF58D885BAE7BA1BF91B18F04013CE6507BA85DB75A841C791
              Function 0116F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
              • API String ID: 0-1745908468
              • Opcode ID: c09535235b67f5e85b135fcf721eaf83d57705a14671fc76c65b56ee1ab8ef2a
              • Instruction ID: d0048356ab93e577d19722f0f4220b9244296ea9bc6864c2efeaf58fa39a7a4e
              • Opcode Fuzzy Hash: c09535235b67f5e85b135fcf721eaf83d57705a14671fc76c65b56ee1ab8ef2a
              • Instruction Fuzzy Hash: EC912231900646DFDB1ADF69E4A0AEDBBF9FF19704F14805DE4859B262CB369C52CB10
              Function 010EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011302BD
              • RTL: Re-Waiting, xrefs: 0113031E
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011302E7
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 16d5e37359ee320d0de2f0d76c28aded6b2ff6490dc36c58b6bdb8ce2c3db30a
              • Instruction ID: 18a044f6b6f308b364f7cb3337da8736f8bb5a887f2a1e87bebc9e57c3e002c6
              • Opcode Fuzzy Hash: 16d5e37359ee320d0de2f0d76c28aded6b2ff6490dc36c58b6bdb8ce2c3db30a
              • Instruction Fuzzy Hash: 98E190706087429FE729CF29C888B2ABBE0BF88714F144A5DF5A58B2E1D774D945CB42
              Function 010E51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
              Download Yara Rule
              Strings
              • Kernel-MUI-Language-SKU, xrefs: 010E542B
              • WindowsExcludedProcs, xrefs: 010E522A
              • Kernel-MUI-Language-Allowed, xrefs: 010E527B
              • Kernel-MUI-Language-Disallowed, xrefs: 010E5352
              • Kernel-MUI-Number-Allowed, xrefs: 010E5247
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: fb200d23e64d1c1658a187297571b4d8cb33755cf0222959dbe3c4580a6b7d4b
              • Instruction ID: 3ed916be51ae6c92fb8aa2248b8c0dc4015953d5a0b76313122f7f8a8701dc0f
              • Opcode Fuzzy Hash: fb200d23e64d1c1658a187297571b4d8cb33755cf0222959dbe3c4580a6b7d4b
              • Instruction Fuzzy Hash: 8AF15C76D00229EFCB16DFA9C9849EEBBF9FF48654F10445AE541EB250E7709E018BA0
              Function 010D70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 714b3fd8df50627c53f264c7592f1d2e3761684257521f3e301032d07d4af00e
              • Instruction ID: 5a4fb87bf4fe416f3973c3e5f0e26ead8d85636692ba49aef8528329e00da7e2
              • Opcode Fuzzy Hash: 714b3fd8df50627c53f264c7592f1d2e3761684257521f3e301032d07d4af00e
              • Instruction Fuzzy Hash: 5313AD70A00355DFEB69CF68C4807ADBBF1BF49304F1481AAD989AB386D734A945CF90
              Function 010D1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
              • API String ID: 0-3570731704
              • Opcode ID: f3cce26f834a63564c0d56573547207ad35fdfcb6f99120322a61214fc6c3743
              • Instruction ID: 7179c2fb08a3ad9710a79f98bc119c553b066409f6d992771d3d5b92eb3a816e
              • Opcode Fuzzy Hash: f3cce26f834a63564c0d56573547207ad35fdfcb6f99120322a61214fc6c3743
              • Instruction Fuzzy Hash: B2925C71A00329CFEB65CF18CC81BA9B7B6BF45314F1581E9E989A7291DB709E80CF51
              Function 010CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: 6e1cf58f85800d0dc3ae322e7aa4058e530d143a63de08ecc13f547e6cd4d025
              • Instruction ID: 37d5dce524c0e2fba15246abd82e495db571a7721696b9ee90bbe3c3332ece33
              • Opcode Fuzzy Hash: 6e1cf58f85800d0dc3ae322e7aa4058e530d143a63de08ecc13f547e6cd4d025
              • Instruction Fuzzy Hash: 6CC1577460838ACBD715DF58C044B6EB7E4BB98B04F04896EF9D68B251E734CA49CF52
              Function 010F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 010F855E
              • LdrpInitializeProcess, xrefs: 010F8422
              • minkernel\ntdll\ldrinit.c, xrefs: 010F8421
              • @, xrefs: 010F8591
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 7a8bbfc2e2fe51a0db39d35f2124850aabf2bb0f20e9d440b1b4de0ec1631643
              • Instruction ID: 5dfabe56bfb77d231692168b9260ba66100c9d621794ed4900cd4113a8538ae2
              • Opcode Fuzzy Hash: 7a8bbfc2e2fe51a0db39d35f2124850aabf2bb0f20e9d440b1b4de0ec1631643
              • Instruction Fuzzy Hash: 7A91BD71608345AFDB26EF25CC45EABBAE8BF84B44F40492EFAC496140E774D904CB62
              Function 010E15F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON
              Download Yara Rule
              Strings
              • Could not validate the crypto signature for DLL %wZ, xrefs: 0112A589
              • LdrpCompleteMapModule, xrefs: 0112A590
              • minkernel\ntdll\ldrmap.c, xrefs: 0112A59A
              • MZER, xrefs: 010E16E8
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
              • API String ID: 0-1409021520
              • Opcode ID: dd6d964b732a6dde2cae97959099965be748edaeaeebb6b0afb622d1c7bad7df
              • Instruction ID: b8dc5837ed86a990b8a439497489e9447602011709c14d939d5b07397dbb7274
              • Opcode Fuzzy Hash: dd6d964b732a6dde2cae97959099965be748edaeaeebb6b0afb622d1c7bad7df
              • Instruction Fuzzy Hash: 975123706007459FEB2ADB5DC948B6A7BE5FF04714F1806A8EAD19BAE2D774E840CF40
              Function 011711A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 0-336120773
              • Opcode ID: 523176469700a35afd7d4b4e23e2641e5d19d919aa9819fd898f8a6ec0749fb7
              • Instruction ID: cb774f0558d0f71beb3e40141a14d3082a1b0feb4e82c4aa3964e6901e4e3963
              • Opcode Fuzzy Hash: 523176469700a35afd7d4b4e23e2641e5d19d919aa9819fd898f8a6ec0749fb7
              • Instruction Fuzzy Hash: 9A3124B1210105FFE71ADB99C889FA677F8EF09A24F240059F581CB390DB70AC44CAA5
              Function 010B9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
              • API String ID: 0-1391187441
              • Opcode ID: 2390e96fb30910d8ea766e0adf1a897459d8cfd727592f332332c0baa811a1f7
              • Instruction ID: 0076f91ad6a90199f32503a4b88a982dfc37a8df96a883f4b511d19528d45c3c
              • Opcode Fuzzy Hash: 2390e96fb30910d8ea766e0adf1a897459d8cfd727592f332332c0baa811a1f7
              • Instruction Fuzzy Hash: A531E672600105EFDB06DB4ACC84FDEB7F8EF45724F1544A9E954AB291D770ED40CA61
              Function 010BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: 011ced80e5b360036e3050f047e31221db798b0484ff6b2d64328ccc83c80db2
              • Instruction ID: 2d864cebcfe6f4160263d437f8f11a5fc63a3424430284e06413e83bd80f5e33
              • Opcode Fuzzy Hash: 011ced80e5b360036e3050f047e31221db798b0484ff6b2d64328ccc83c80db2
              • Instruction Fuzzy Hash: F1A16B719556299BDB35EF68CC88BEAF7B8EF48700F1001E9E909A7250D7359E84CF90
              Function 01147410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
              • API String ID: 0-3870751728
              • Opcode ID: 2ae4b8e91f488f1e029e54650d2182224ad9bf21242baf5bf237271025b51992
              • Instruction ID: 94083305b08f88476864384635126c806b747e97e564c6db920b44227c283774
              • Opcode Fuzzy Hash: 2ae4b8e91f488f1e029e54650d2182224ad9bf21242baf5bf237271025b51992
              • Instruction Fuzzy Hash: EF912AB4E006159FEB18CFA9C480BADBBF1BF48714F14C16AE905AB391E7759842CF94
              Function 010CB440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
              • API String ID: 0-373624363
              • Opcode ID: e1ad7f79ee6a35403a7c075937b08c31a877bace645cd88b9eee1371fae19021
              • Instruction ID: 0cf0984981aa6231fbbed9bd01aedfadfed8ae1054a27d3ba7d6c43ff651414f
              • Opcode Fuzzy Hash: e1ad7f79ee6a35403a7c075937b08c31a877bace645cd88b9eee1371fae19021
              • Instruction Fuzzy Hash: DD91ED71A04659CFEF25CF58C441BAEBBB0FF08B94F144199E891AB290D77C9A80CF91
              Function 010F909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: %$&$@
              • API String ID: 0-1537733988
              • Opcode ID: 60326f853975d99d949c049df9166342e343d198d2de03d7e696cda4f64794cb
              • Instruction ID: c263f60290205bf6fca5e9448fe92fa9fb000aad40a6d5cd97c93ea77f30cd17
              • Opcode Fuzzy Hash: 60326f853975d99d949c049df9166342e343d198d2de03d7e696cda4f64794cb
              • Instruction Fuzzy Hash: 8A718B705083029FD759DF28C581B6FBBEABF8461CF108A2DF6DA47A91C7319905CB92
              Function 010B758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
              • API String ID: 0-1151232445
              • Opcode ID: 8bc9b1d625093e749e030bb92c5863210cc61f0f12fca08c895babaa5720a70f
              • Instruction ID: 664ba801ca96a68258a69d0a66c32ece3eabe95821c7429cf1ab06d33c97f01e
              • Opcode Fuzzy Hash: 8bc9b1d625093e749e030bb92c5863210cc61f0f12fca08c895babaa5720a70f
              • Instruction Fuzzy Hash: 0841E2702012918FEF2E8A5DD0D4BFDBFE09F85204F1884A9D6868B6DADB74D885C752
              Function 0117C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • PreferredUILanguages, xrefs: 0117C212
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0117C1C5
              • @, xrefs: 0117C1F1
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 367afed0eff1d542839cc62abc7d2e971bfe1516b50a31c45c2b3ce9c8bdbb00
              • Instruction ID: e1ab0fdb7325ed18f4a15093bf5b3f9bf81291367bc537749ab778e8c461bd67
              • Opcode Fuzzy Hash: 367afed0eff1d542839cc62abc7d2e971bfe1516b50a31c45c2b3ce9c8bdbb00
              • Instruction Fuzzy Hash: 4B415671E0020AEBDF19DFD8C855FEEB7B9AB54704F14416AE605F7280D7749A44CB90
              Function 01154144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: d18148a80b7d5ce9a0353561b25e0101b61c9ac544d692602d47d01aac02b30d
              • Instruction ID: 35d0219708588b32bea3c68e3fdda6c9c2a8e877761f23db1ce044e0647c9bd9
              • Opcode Fuzzy Hash: d18148a80b7d5ce9a0353561b25e0101b61c9ac544d692602d47d01aac02b30d
              • Instruction Fuzzy Hash: 56412272A00368CBEB2ADBD9D844BADBBB4FF55380F140059DD61EBB81E7349981CB11
              Function 010F33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • RtlCreateActivationContext, xrefs: 011329F9
              • SXS: %s() passed the empty activation context data, xrefs: 011329FE
              • Actx , xrefs: 010F33AC
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
              • API String ID: 0-859632880
              • Opcode ID: a2e23e5c551a612e197ec0d9c61423ea11b1c058ddabc87f2da8cde8131f6797
              • Instruction ID: d50f21a051e95fcafd180b37bf66d01c29e1d1319de6328cb910fa5b0c7d905a
              • Opcode Fuzzy Hash: a2e23e5c551a612e197ec0d9c61423ea11b1c058ddabc87f2da8cde8131f6797
              • Instruction Fuzzy Hash: 263124322003169FEB2AEE58D881F9A7BA4FB84720F054469EE449F785DB30F842C790
              Function 0114B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 0114B670
              • GlobalFlag, xrefs: 0114B68F
              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0114B632
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
              • API String ID: 0-4192008846
              • Opcode ID: 40ccf0042536417688ec0248f83b803548522b6401cd01d1820697d5ca28a474
              • Instruction ID: de214c2651098b9c4226e2e96fa2f6c5e91fd89a54d8a32d3852078ea0b0913a
              • Opcode Fuzzy Hash: 40ccf0042536417688ec0248f83b803548522b6401cd01d1820697d5ca28a474
              • Instruction Fuzzy Hash: 93312CB1E0021AAFDB15EF95CC85AEEBBB8EF44B44F140469E605A7250D774DE40CBA4
              Function 01101270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0110127B
              • BuildLabEx, xrefs: 0110130F
              • @, xrefs: 011012A5
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 0-3051831665
              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction ID: 05da67e6814b3ec8529cc9c1c2877db290d779542b5ed05934709fe29242cf88
              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction Fuzzy Hash: 7B31A172D0061DBBDB1AAF95CC44EDEBFBDEB94724F004025EA04AB2A0D7B4DA058B51
              Function 011420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • Process initialization failed with status 0x%08lx, xrefs: 011420F3
              • minkernel\ntdll\ldrinit.c, xrefs: 01142104
              • LdrpInitializationFailure, xrefs: 011420FA
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: b91b8e2ecece4a3b319056b8ef60f42c3a1035cca05f3def29ae3d2a063164c9
              • Instruction ID: aff298b926b8901b777fa06d10d4e9ffc77193c614667b978d94842d4f13b509
              • Opcode Fuzzy Hash: b91b8e2ecece4a3b319056b8ef60f42c3a1035cca05f3def29ae3d2a063164c9
              • Instruction Fuzzy Hash: 8FF0C235641308ABE728E64DDC92FA93768EB44F58F940069FB507B685D3F0A980CA91
              Function 010D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: b74a320ad5c9f939c7b0dd153d24e62422a17b9fffe304d60c9fa6aede7ded89
              • Instruction ID: 187f1672accb05ab60cc39eb06688544a88ffb3cd327f8a27294e0305de4bef4
              • Opcode Fuzzy Hash: b74a320ad5c9f939c7b0dd153d24e62422a17b9fffe304d60c9fa6aede7ded89
              • Instruction Fuzzy Hash: B07169B1A0020A9FDB05DFA8C980FAEB7F8FF18704F144065E905AB251EB74ED51CBA1
              Function 010D52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: @$@
              • API String ID: 0-149943524
              • Opcode ID: af55241eee8ca160d7b392eb46d15132f5dc592aa663b3fa8c785d094a64be51
              • Instruction ID: c8861b2a905e93af2d9b702085caaab66f1635986c2a2a5580e5c143cdd63340
              • Opcode Fuzzy Hash: af55241eee8ca160d7b392eb46d15132f5dc592aa663b3fa8c785d094a64be51
              • Instruction Fuzzy Hash: BB3279705083628BD7688F18C880B7EBBF1AF88754F14495EFED59B290E774D890CB92
              Function 0118A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: 47fd6e9ece10615d61f618517d0302b816589588daa414ac2d7d8196c822d06d
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: A4C1F4312043429BEB28EF28D841B6BBBE5AFC4318F188A2EF695C7290D775D545CF51
              Function 010CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 010CA309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 010CA2FB
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 03e473c644b81d89140c60df415e5dce4701892754d233877038c5610dc39e83
              • Instruction ID: ac2f5d4592d7f96ba14d1f86da039c069ef42265f3cf17d90708a887ed2af744
              • Opcode Fuzzy Hash: 03e473c644b81d89140c60df415e5dce4701892754d233877038c5610dc39e83
              • Instruction Fuzzy Hash: 9141BE71B04659DBDB29CF69C850BAE7BB4FF84B00F1480A9E980DB291E3B5D900CF51
              Function 011535BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
              • API String ID: 0-118005554
              • Opcode ID: b8341bcf4df0dbae5b5e2577031ad1b6a867432c21769fe929d8eb93057824fa
              • Instruction ID: fe8df187374e256d453e11578d63cd8229400bab8349bc289584777d5ea17952
              • Opcode Fuzzy Hash: b8341bcf4df0dbae5b5e2577031ad1b6a867432c21769fe929d8eb93057824fa
              • Instruction Fuzzy Hash: 0431AE32218742DBD319DB28D894B5AB7E4FF84754F05086DFDA48B390EB70DA05CB66
              Function 010F329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: .Local\$@
              • API String ID: 0-380025441
              • Opcode ID: c9c94c54928ae0dac1e0423044d6a732c6a2fd3df25d1619a79be518899682b9
              • Instruction ID: 9c01ea44cbda06c5434555a9270e248b1399b5737d62c86ec02864f5cc7d1c8b
              • Opcode Fuzzy Hash: c9c94c54928ae0dac1e0423044d6a732c6a2fd3df25d1619a79be518899682b9
              • Instruction Fuzzy Hash: BE31AEB2508305AFD361DF28C881A5BBBE8FB84664F44492EFAD58B650DB30DD04CB92
              Function 010FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: b767c943526d3bbe4fda6c7939b50ca92abb95601b308a395e2b4eedba40886d
              • Instruction ID: 773ea0b06412ec3e20d90356f18b5c44c621dd90354b3fb671b508c44c95cd9d
              • Opcode Fuzzy Hash: b767c943526d3bbe4fda6c7939b50ca92abb95601b308a395e2b4eedba40886d
              • Instruction Fuzzy Hash: 5D01ADB2650700EFE312DF24CD46B1677E8E798715F00893DA69CCB590E374D804CB46
              Function 010C7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2ca9ba91c9552471dbb95da1ef6152874ee862ce3e61d83129d7b6de921af528
              • Instruction ID: 8b497a04a8af7cb7dcab33ee83f97c7533c0f34c0e3d86a9771eacc9407645bc
              • Opcode Fuzzy Hash: 2ca9ba91c9552471dbb95da1ef6152874ee862ce3e61d83129d7b6de921af528
              • Instruction Fuzzy Hash: 91A16971A08342CFC725DF28C480A2EBBE5BB98704F10496EE5C59B351EB70E945CF92
              Function 01146420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 9e2024d8aacb2516b609d9f30b767efb1500d2168b5cf7be34dfbc05858f0123
              • Instruction ID: d668f6eb27cb9769617bfcfde7eb06ca33bb8f1f4b267a98baac92d5adcbb3d5
              • Opcode Fuzzy Hash: 9e2024d8aacb2516b609d9f30b767efb1500d2168b5cf7be34dfbc05858f0123
              • Instruction Fuzzy Hash: 929184B1A40219AFEB25DF95CD85FEEBBB8EF59B54F104065F600AB190D774AD00CBA0
              Function 0117B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: PreferredUILanguages
              • API String ID: 0-1884656846
              • Opcode ID: 7eb865756ba025236e62f02e26bded26fde7809b6fb4e4728bb10c9ad41b0caf
              • Instruction ID: 3ca916c46c442c160f232f696e92ed03070bdc9abcccdab82f442cbfca5dc855
              • Opcode Fuzzy Hash: 7eb865756ba025236e62f02e26bded26fde7809b6fb4e4728bb10c9ad41b0caf
              • Instruction Fuzzy Hash: 8141D232D08219ABDB19DA99C840BEEBBB9EF44714F054126EE51EB350D774DE80C7A4
              Function 0116705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: kLsE
              • API String ID: 0-3058123920
              • Opcode ID: 6f1ad31a5a881fe1a1d057c73b5a003d8f1593efa9b3dd1aefaedd58ed3ade37
              • Instruction ID: 58eee2f49c9c5378b19b51adb2d1b256b05e90575e84b2d9e96ada0b0c99902a
              • Opcode Fuzzy Hash: 6f1ad31a5a881fe1a1d057c73b5a003d8f1593efa9b3dd1aefaedd58ed3ade37
              • Instruction Fuzzy Hash: 1A414B725013528BE73DAB78E8C4BA93F99AB61B2CF14413DEDA04A1C5CB7544D5C7A0
              Function 010F7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
              • Instruction ID: b768764f4a262bf73a5c053bb4e1114b4c3e888995d15f4c0affbc632abc3b6e
              • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
              • Instruction Fuzzy Hash: 9241D075A0065AEBDF25DF48C495BBEB7B5FF84B01F00405EEA82A7640DB70D941CBA2
              Function 010C5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: 8cc065336f8c850030218ccb84df93994989e0d51fb7e0c29a0308297765658a
              • Instruction ID: c0cdaacdce9c276ec352e6406205e679f8ec4808ba39ac7db1e3338097ed7ebe
              • Opcode Fuzzy Hash: 8cc065336f8c850030218ccb84df93994989e0d51fb7e0c29a0308297765658a
              • Instruction Fuzzy Hash: 6F1181383046028BEB694B1D8C5563E77D5EBD5A24F34856EF9D2CB391D6B1F8418B80
              Function 0114106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: LdrCreateEnclave
              • API String ID: 0-3262589265
              • Opcode ID: 9e920286cecde91623a07a29d2c755e7a15a3a6d72d6236020d9e405d4c1b138
              • Instruction ID: 6857f7a923f442f581b248aa9986b94bb2fca168d82eafe91cb8a73181b1fc98
              • Opcode Fuzzy Hash: 9e920286cecde91623a07a29d2c755e7a15a3a6d72d6236020d9e405d4c1b138
              • Instruction Fuzzy Hash: BA2115B1518344AFD324DF6AC844A9BFBE8FBE5B10F404A1EF9A097250D7B0D945CB92
              Function 0111739A Relevance: .7, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba29742fc847275bdd4a4a47519f09b812d81ba97d22d7f5f6785f9cc79966f4
              • Instruction ID: 5b1b61d3d819bb7673377c6643b43bf2565c51637881851fddef60daad826dea
              • Opcode Fuzzy Hash: ba29742fc847275bdd4a4a47519f09b812d81ba97d22d7f5f6785f9cc79966f4
              • Instruction Fuzzy Hash: CD428E71A006168FDB1DCF59C490ABEFBB2FF88314B18856DD952AB385D734E942CB90
              Function 010EB2C0 Relevance: .6, Instructions: 629COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2c999ddd7a9093b1ba64f328c39dfc2119f65b265bdfafe5f464b362547f38e
              • Instruction ID: 22f8a076add079ce65e4f78284abfcc7a94671def94939b0f726e4dd41408dfc
              • Opcode Fuzzy Hash: c2c999ddd7a9093b1ba64f328c39dfc2119f65b265bdfafe5f464b362547f38e
              • Instruction Fuzzy Hash: 3332B071E012199FCF28DFA9C894BAEBBF1FF54714F180069E845AB391E7359911CB90
              Function 01158158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f1a4a56f165cfc9b1d707a51a719ac17881936ad01d36c9dbbb474495abbbf8
              • Instruction ID: d2d816ac356c10d0cbd6d0e3628a7f49c0efa97e93ad366dfe22f6b2cb58af1f
              • Opcode Fuzzy Hash: 4f1a4a56f165cfc9b1d707a51a719ac17881936ad01d36c9dbbb474495abbbf8
              • Instruction Fuzzy Hash: 28425F75E10219CFEB69CF6AC841BADBBF5BF48300F148099E999EB242D7349981CF50
              Function 0116A118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d55a033c934b1b4fa4c37cf3c2cbd6a09c5ea55ca53795d0f3c3a2d632406f6f
              • Instruction ID: e43e73ef3c5ac9072131184fbfed59b86dd4aee8e763913c270d8bf738f93453
              • Opcode Fuzzy Hash: d55a033c934b1b4fa4c37cf3c2cbd6a09c5ea55ca53795d0f3c3a2d632406f6f
              • Instruction Fuzzy Hash: B222D4702046618FE72DCF2DE490372BBF9AF45304F098459D9969F286D737E862CB61
              Function 010C65D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a40d9dae3359158a78e67a0e548fc1b5d432019aa0f94b9ff39037232bd339ec
              • Instruction ID: 4e4fcbe505c9d4a8a7a07bc341419cf22527eb4198a0fae6efeadee6a9e6272d
              • Opcode Fuzzy Hash: a40d9dae3359158a78e67a0e548fc1b5d432019aa0f94b9ff39037232bd339ec
              • Instruction Fuzzy Hash: 03E16C715083429FC725CF28C490A6EBBE0FF89714F158A6DE99987351EB32E905CF92
              Function 010B8397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ea0e908780d566193bab6175bab2373b2fe7d6565c9bee222379335e58c52749
              • Instruction ID: 38ad58b5256610fa62c6d2c72bd69f9a02bb96dc422bd23e3cd384352e797c18
              • Opcode Fuzzy Hash: ea0e908780d566193bab6175bab2373b2fe7d6565c9bee222379335e58c52749
              • Instruction Fuzzy Hash: DCD1E471A002069BDB18DF69C8C0AFEB7F9BF54308F04852EE955DB2A4EB34D955CB50
              Function 01148243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: e7eb66a617c309dc1fdf2587c1d31dbfd9df6af99d578751efc2a238d56d9b26
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: CDB15374A00605AFDB68DFD9C940EEBBBB9FF84B04F14446DAA4297790DB34E906CB10
              Function 010D0535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: b45d93123d6653b894515795e6d482afe0730e4a673d77a7e20dd12e960f137a
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: 91B10531600756AFDB19DB68C890BBFBBF6AF84300F150199E6969B385D734E941CB90
              Function 010E90DB Relevance: .3, Instructions: 287COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3461fd4ebdc92950296b18dc17f3bdc51519cea2e02f6bbaf8e835f46f91086f
              • Instruction ID: c741a838d5a00565d6de8f2ac7c125fc2dbbfb8934c3b0106ae172d6a070df6f
              • Opcode Fuzzy Hash: 3461fd4ebdc92950296b18dc17f3bdc51519cea2e02f6bbaf8e835f46f91086f
              • Instruction Fuzzy Hash: 85A16F71900616AFEF2ADFA8CC85FAE7BB9AF55754F010154FA00AB2A0D775DC50CBA0
              Function 010C83C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4309142b5f8a69867dfddfa9f7a85cba8ee16e70577da02d817ad6b42ddc2a83
              • Instruction ID: 2dc41bc75b561d39ff04b487ab7af25bc02d377d674d8a6822ff7467ad24d794
              • Opcode Fuzzy Hash: 4309142b5f8a69867dfddfa9f7a85cba8ee16e70577da02d817ad6b42ddc2a83
              • Instruction Fuzzy Hash: B1C156742083419FD764CF19C494BAFB7E4BF98704F44896EE98987291D7B4E908CF92
              Function 010BC427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7a2a175f367601811d16961adced5dd8b52310387b1a7a976ad40516f16152b
              • Instruction ID: c53d5fc875ac65c5957777ff29c8a28ed864164e6d3a189a0eb1b88b7758409c
              • Opcode Fuzzy Hash: b7a2a175f367601811d16961adced5dd8b52310387b1a7a976ad40516f16152b
              • Instruction Fuzzy Hash: 97B18270A002668BEB65CF58C990BEDB7F5EF44704F0485EAD58AE7281EB709DC5CB21
              Function 010EE5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4d2face619de80676b10406432170cc9b321ca20ff5e3ac3bcaca57a6d0cea8
              • Instruction ID: d5f086871d93cba70ada871201e7f9ed0636e291425835ec1a0f4e0c96751468
              • Opcode Fuzzy Hash: d4d2face619de80676b10406432170cc9b321ca20ff5e3ac3bcaca57a6d0cea8
              • Instruction Fuzzy Hash: B0A14531E0062A9FEB2ADB59C848FAEBBF4FB04754F050161EA90AB2D0D7749D51CBD1
              Function 01100185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 242ab977b471e23cc69b6adc4b9c81176b1fbbb0f11e2f1dddd6daf024bd05c7
              • Instruction ID: 4888dc9bea8135307e9f5c6b455e99309ee14bef968abb898589ed03ce7bc9ea
              • Opcode Fuzzy Hash: 242ab977b471e23cc69b6adc4b9c81176b1fbbb0f11e2f1dddd6daf024bd05c7
              • Instruction Fuzzy Hash: 51A1C070F0161A9FDB2EDF69C990BAAB7A1FF48358F014029EA45D72C1DBB4E815CB40
              Function 01194500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 254cf8d355fbdf2a1a72c25b075ca7c13c15522a44506cabef862e08f50c258d
              • Instruction ID: c64e8209d65ddf529947a66fd636534335f467ef9f75665f992f32f015490613
              • Opcode Fuzzy Hash: 254cf8d355fbdf2a1a72c25b075ca7c13c15522a44506cabef862e08f50c258d
              • Instruction Fuzzy Hash: 2DA1D072A14612DFDB29DF58CA80B5AB7E9FF58704F050528F5A5DBA50C334EC42CB92
              Function 011460E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cd943dd76ee5928dab279a5aadc6047473026ba7a1d75d28cf886d6fed2182a0
              • Instruction ID: a42cfa15e71f5ce8571074c5ad89e917275e5906d79dc6b62551e2bc499929c1
              • Opcode Fuzzy Hash: cd943dd76ee5928dab279a5aadc6047473026ba7a1d75d28cf886d6fed2182a0
              • Instruction Fuzzy Hash: 7391C471E04216AFDF19CFA8D894BAEBFB5AF4AB14F154169E614EB340D734D900CBA0
              Function 010DE3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75d31e43592a13e792a637e2572a24410b182a225f028bdec125c50908ab749f
              • Instruction ID: fd96bd2fec8d34e0ecd02eef350f0cb6df179d613694fd144f45a7ce97648433
              • Opcode Fuzzy Hash: 75d31e43592a13e792a637e2572a24410b182a225f028bdec125c50908ab749f
              • Instruction Fuzzy Hash: 76911532A0072ACBEB28DB5DC480BBE7BA1EF94758F054169E9859F284FB34DD41CB51
              Function 010C1131 Relevance: .3, Instructions: 259COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee74485285c9b4230c80dd59f2c7352c8613b0a28902b92b0d3e777a28d32efe
              • Instruction ID: 64aac8b4c3c21a8f9fb5d586b711e1cdbffd5e54a17c10016d6f51895bb618c5
              • Opcode Fuzzy Hash: ee74485285c9b4230c80dd59f2c7352c8613b0a28902b92b0d3e777a28d32efe
              • Instruction Fuzzy Hash: A2B102B5A093418FD359CF28C580A5AFBF1BB88704F18496EE999C7352D371E946CB42
              Function 0117B52F Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
              • Instruction ID: 11dd59799ffe6ea609fa1207eab4f68e227957163f612bf8aa2d88dbe4055eaa
              • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
              • Instruction Fuzzy Hash: 9671A135A0861A9BDF18CF69C480ABFFBF5AF44754F19411AE940EB381E334D9818B94
              Function 010ED090 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction ID: 4268554b1543ed92280e60b8e56533c767f2e10866fcf4e42df17222eae76190
              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction Fuzzy Hash: F3819F72E0212A9FDF18CF9CC8847EDBBB2FB84314F1981AAD915B7344D731A9508B91
              Function 010FE284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6476698fed79cefb59827125c7c5bffd2259a5198c6a6ddee1980e748330b497
              • Instruction ID: be3bb92d476ea1ba8dd9d629d226af213469963ef3a84409e62ac27f12053f3b
              • Opcode Fuzzy Hash: 6476698fed79cefb59827125c7c5bffd2259a5198c6a6ddee1980e748330b497
              • Instruction Fuzzy Hash: 47818F71A00609AFDB25CFA9C884BEEBBF9FF88314F11842DE695A7650D770AC45CB50
              Function 0114035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: e69c4ed0a3f04f38747073b7aafdfb0a118f32ed7eb82d382954aa9aabc8ae11
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 48717D71E0060AAFDB14DFA9C984EDEBBB8FF48704F104569E645AB250DB30EA41CB90
              Function 011562A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30448ab7032c096a65e2d3f2372f1fa5200a0c385bd5ab77daf502410b72dc46
              • Instruction ID: ffaf9ce4a43dcd9eb0b81667a84ed99c9d95a02baed6557fecd04ef0a6e381c0
              • Opcode Fuzzy Hash: 30448ab7032c096a65e2d3f2372f1fa5200a0c385bd5ab77daf502410b72dc46
              • Instruction Fuzzy Hash: FB71F232200B01EFE77A9F18C844F5ABBB6EF44724F554528EA658B2E1D774E944CB90
              Function 0118132D Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d1ffa1b355bb71acf6001362a7e50fdd9d1835b6451ad670198e28b4e91faa3
              • Instruction ID: 98eda1219be09577c9a5bc681b7589a87ea8563e48870c2de8ff75c1e4587cf8
              • Opcode Fuzzy Hash: 3d1ffa1b355bb71acf6001362a7e50fdd9d1835b6451ad670198e28b4e91faa3
              • Instruction Fuzzy Hash: A6815C76A002059FCB09CF98C490AAEBBF1FF48310F1581A9D859EB355D734EA41CFA0
              Function 0118903E Relevance: .2, Instructions: 186COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ab1106118fb0e48970426a8677ce41a04c705d85a3f0a1e41cf86d5227cc57d
              • Instruction ID: 3003a705491dad54b9d49ed70bb7fe052987868ff54353e5bcc06fdfb1ea7510
              • Opcode Fuzzy Hash: 9ab1106118fb0e48970426a8677ce41a04c705d85a3f0a1e41cf86d5227cc57d
              • Instruction Fuzzy Hash: 2F61CE7120461AAFD719EF68C884BABBBA9FF88718F00C619F95987240DB30E505CF91
              Function 011892A6 Relevance: .2, Instructions: 174COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ab4828885bb16715ffb921f2daa9043fcb132b3cc2c2997a00c0f3b6cc574b2
              • Instruction ID: bf95771b2c99394b1f403a8485e0abf3c5aa929963ce70f55314fe1f5fdd13e5
              • Opcode Fuzzy Hash: 4ab4828885bb16715ffb921f2daa9043fcb132b3cc2c2997a00c0f3b6cc574b2
              • Instruction Fuzzy Hash: C661D3716087468BE319EF68C494B7ABBE0BFD030CF19846CE9958B281D735E805CF81
              Function 010BB2D3 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3fe6c46d7ae7e86ee89be85fd9c4e8406b283e8a8335dec4915152bb49f62fae
              • Instruction ID: 18fbe2404ea0f995d60ed70564cdcb5e18148e2c9cf06a3ec756dc29661907bb
              • Opcode Fuzzy Hash: 3fe6c46d7ae7e86ee89be85fd9c4e8406b283e8a8335dec4915152bb49f62fae
              • Instruction Fuzzy Hash: 004144712417019FDB3A9F29C9C1BAABBA5FF44B20F108479EA999B350DB30DC41CB90
              Function 010FB570 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22dc63ba576a28db0d8d45e4f5448cc99f10a3a4175f22f1cf6d73a84e87636b
              • Instruction ID: 669c6747e697950a6c4a2ed737280c279e23efb1e7b1e312d89f5af046855fb9
              • Opcode Fuzzy Hash: 22dc63ba576a28db0d8d45e4f5448cc99f10a3a4175f22f1cf6d73a84e87636b
              • Instruction Fuzzy Hash: 335104B19042529FE739EF64C985FAB3BE8EB94724F10062DE961971D5D730E840CBA1
              Function 0113D5D0 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
              • Instruction ID: a7eb55158339117b23c83f756a88971191d71256732d9a7a979444467dc00f3b
              • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
              • Instruction Fuzzy Hash: 59518EB66003439BCF1AAFA89C419BB7BF6EFD4244F840429FA45C7254E730C815D7A2
              Function 010E95DA Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 46d9e851ea52213c1394c4ada5b97b9805d744840b8b8ede210b1936e01e6e88
              • Instruction ID: 840244fbc12f4d1156c65c0646f70640b87bc4d62b3b010483b7364ff8aa111b
              • Opcode Fuzzy Hash: 46d9e851ea52213c1394c4ada5b97b9805d744840b8b8ede210b1936e01e6e88
              • Instruction Fuzzy Hash: 4D519170900219AFEF269FA5CD85BEDBBF4FF05304F20412AE594A7191DB719964DF10
              Function 010C7152 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aa47ac9c6e3f908eb425daf541545b3a7f2c59efa66bc010be0ee9ed52d6be68
              • Instruction ID: bd0c2b74cd29ea96ed9bb67b45996fd238305645fbed84bed9ccf0d4bc5c91c9
              • Opcode Fuzzy Hash: aa47ac9c6e3f908eb425daf541545b3a7f2c59efa66bc010be0ee9ed52d6be68
              • Instruction Fuzzy Hash: 13512631A00A16EFEB1ADF68C844BADBBF6FF94715F10406DE99293290DB709911CF80
              Function 010FE443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c665b33c5af86ddc39b2f0b167984d6aabf40b5afe7a8a71fb3f505786e7cfbd
              • Instruction ID: b5b6925c82f490b04bdfcc0c9bca624a5fb798f5b1008156286152fa17f764ca
              • Opcode Fuzzy Hash: c665b33c5af86ddc39b2f0b167984d6aabf40b5afe7a8a71fb3f505786e7cfbd
              • Instruction Fuzzy Hash: 0851ABB1200A09DFCB26EF69C984EAAB3F9FF54784F41046DE68297660DB34F940CB51
              Function 010E45B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 05311d9b674ba080ef332b102f7794d1443fb61fe96cc8f3fe5d47af1a5fe1b1
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: 38519B75E0021AAFDB15DF99C844BEEBBF5BF49354F04406AEA81EB240D734D944CBA4
              Function 0118D26B Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction ID: 0705d870e667469de2ab9aee1bc95779e44a3c2cc45716a5ed87fad0f2acaee7
              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction Fuzzy Hash: A1516A722083429FDB18DFACD880B9ABBE5FBC8254F04892DF99597280D734E905CF52
              Function 01153140 Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 488d413be42eee2a00b13fca76637a084c0143ad52dfef61e32f9bd4ed363567
              • Instruction ID: 18e80962a0f2d2e9a1b6d12c511219d071c2ab73539b57519a4d71e80b58f7ca
              • Opcode Fuzzy Hash: 488d413be42eee2a00b13fca76637a084c0143ad52dfef61e32f9bd4ed363567
              • Instruction Fuzzy Hash: 0951AB72614201DFD769CF28C880AAAB7E5FB88394F058529FDB49B250D374E945CB92
              Function 010C51ED Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 857fca447cff2963388fd73ee0553d3e77fad47c7e6d70a875cd9bac1644d082
              • Instruction ID: 7f2208803332a635197086b211a7d6615aee7691e9836ed168f551d4fc78bead
              • Opcode Fuzzy Hash: 857fca447cff2963388fd73ee0553d3e77fad47c7e6d70a875cd9bac1644d082
              • Instruction Fuzzy Hash: 43518C35B01616DFEF268BA8CC40BEEB7F1AB18B14F04805DE891E7292D7B4A840CF50
              Function 011935D7 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
              • Instruction ID: bc4a81af6627d8972f22f6ffc513338fbed2d13ef634655236969dad0d91558e
              • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
              • Instruction Fuzzy Hash: 83516071600606DFDF1ACF68C980A56FBB5FF45304F15C0AAE9189F252E371EA85CB90
              Function 010FA430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b34013bd18d1835c6411e241982459dbe4d2b361923e5c95866ee8e4aca75841
              • Instruction ID: a71ab840e8c8274a52da0b4451e5d2436052dfea7a9ad1455e34dfec96467c56
              • Opcode Fuzzy Hash: b34013bd18d1835c6411e241982459dbe4d2b361923e5c95866ee8e4aca75841
              • Instruction Fuzzy Hash: 124124B1B00309EBDB2DEF6898C2BAE3775AB95708F00007CEB869B745DBB19841C750
              Function 010F01F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14a41267073f8285c66078f4e3d7bc1470a2e06466f943194b44699b3b0eebb3
              • Instruction ID: 5dd966cae52c7a1843bdff666c55dd02987fe31018315f1727d7c5e7ca058f04
              • Opcode Fuzzy Hash: 14a41267073f8285c66078f4e3d7bc1470a2e06466f943194b44699b3b0eebb3
              • Instruction Fuzzy Hash: A741DB35A002199BDB14DF98C841AEEFBB6FF48700F14816EFA85E7A45E7349C01CBA4
              Function 010CD534 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3cd8f9041198e97f798aa2610753c8945d31b8152a7125805c58482b5e86c74
              • Instruction ID: 7565caace5b59bdc9803e651489bd18755eb3965fb0ad7cfda6a5472f7046c83
              • Opcode Fuzzy Hash: c3cd8f9041198e97f798aa2610753c8945d31b8152a7125805c58482b5e86c74
              • Instruction Fuzzy Hash: 1E51AB322146A28FD72ACB5CD444F6E77E5BB48B54F0904A9F8918B791D738DC50CBA2
              Function 0113D1C0 Relevance: .1, Instructions: 135COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
              • Instruction ID: 50be5ef43fcc75a544b0fdd66b351ba2b630fafe4d80293b5179abe4a7044cfa
              • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
              • Instruction Fuzzy Hash: A05129B1A04205DFDF18CFA9D481699BBF1FF88314B54856ED81997349D734EA80CF90
              Function 010C6154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7b6ad98e05fe8ccd2de470f94d309ed5620782c54c3d640e8ebb2dfe7b52f4a
              • Instruction ID: c1284cc948c98312646fd858139c8f6d0cf15d6f2a58125f47fa55fe33832010
              • Opcode Fuzzy Hash: c7b6ad98e05fe8ccd2de470f94d309ed5620782c54c3d640e8ebb2dfe7b52f4a
              • Instruction Fuzzy Hash: A051E5B09006169BDB398B28CC40BECBBB2EF15314F1482E9E5A9A73D1DB359991CF40
              Function 010BB136 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5aed5d09c3be208f4b57c2e5fd882ea780f3cf23f02dc70c64c660644e4a43fd
              • Instruction ID: b0c911f810f12e87ff73216ae9cfe943c5601d4940cf9a0e832043f3714aa4de
              • Opcode Fuzzy Hash: 5aed5d09c3be208f4b57c2e5fd882ea780f3cf23f02dc70c64c660644e4a43fd
              • Instruction Fuzzy Hash: 0141D1B1641306EFDB26EF69C981BAABBE8FF50794F008479E691DB650D770D840CB90
              Function 010BA020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: ac2013c91da1b622c8b36a5147c8ad37fbb83613b76fb5983b7c3ea6ed1a6221
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: 9D412931B08213DBDB29DE5884807FEFB71EB50764F15807AF9858B244E7368D80CB92
              Function 011405A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ebdc1e1b9d0cc2631be882f154bbcaaee1f23ccf0c921a2470b2a16cab29cc3f
              • Instruction ID: f8d850d57eb22aa111e0d8e5523b475f6719fbe01b6b2705235eef7055c3e469
              • Opcode Fuzzy Hash: ebdc1e1b9d0cc2631be882f154bbcaaee1f23ccf0c921a2470b2a16cab29cc3f
              • Instruction Fuzzy Hash: AA41E4725047459FC329DF69C840BAAB7E5FFC8B00F14061DFA958B680E730D904C7A6
              Function 010D02E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: f63bf91014e293a395c3ef75f9eb370ebedec228faa747569c4f58fa9b44c534
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 0F31F231A04345ABDB229B6CCC44BDFBFE9AF54750F0481A9F899D7356CB749884CBA0
              Function 010E9274 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d423054677b62f35e718eadfd01e67fad82b0ff0b30838ea4321a1875ccbc5f6
              • Instruction ID: 6737800074a0c59cc3d9288499c213fc526b62e1d92d522051a5de95439bfa38
              • Opcode Fuzzy Hash: d423054677b62f35e718eadfd01e67fad82b0ff0b30838ea4321a1875ccbc5f6
              • Instruction Fuzzy Hash: E431A471A00329AFDB36CB69CC44B9EBBF5AF85314F1041E9A58CA7280DB309D44CF51
              Function 010C4260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe205ab4cc1f26f9da1f87b4cd8e8c6d81870bf8f1312e9df90f064accd50e8a
              • Instruction ID: 47439f9f667c5096efbb93700607d03ffff8b77468f807458f7122cb67870ad9
              • Opcode Fuzzy Hash: fe205ab4cc1f26f9da1f87b4cd8e8c6d81870bf8f1312e9df90f064accd50e8a
              • Instruction Fuzzy Hash: B341AD71200B459FD72ACF28C891BDA7BE5BB59714F01852EF6998B290D774E810CB50
              Function 010E50E4 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction ID: 9d0e51d55b9a09c59f7d5f2e5a3c549982a423c555842d94e252cc86b55a3cee
              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction Fuzzy Hash: C131F435608342DFE725DA1ECC0876BBBD4AB85758F0889AAF9C58B281D374C841C792
              Function 011861C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0365785ad13340b867b9bdc21f35700e1570eb3a8f6446ea0ed4c30877ec4f35
              • Instruction ID: 7bb9e445b0ca5cafd94c96101ea93fb9192668e67e42c1192e1a6194076a5da0
              • Opcode Fuzzy Hash: 0365785ad13340b867b9bdc21f35700e1570eb3a8f6446ea0ed4c30877ec4f35
              • Instruction Fuzzy Hash: D231A675A0025AEBDB19DF98CC80FAEB7B6FB48744F4581A9E900AB244D770ED41CB94
              Function 011860B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68e9ce2e383f4c0c19e82836d5ec149060281a1db666fb826d8973dbbce70baa
              • Instruction ID: 97fc947c4558fb999a290ccecbab148e78fdb53406370f35cdb274b7ed3ccf45
              • Opcode Fuzzy Hash: 68e9ce2e383f4c0c19e82836d5ec149060281a1db666fb826d8973dbbce70baa
              • Instruction Fuzzy Hash: 14310571A00216AFDB1AAF99C880BAEB7B9AF84714F048069E502DB352DB30DC01CF90
              Function 010C8550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b7bfe50671810207e842883e1587040ba8da6795bde7f768b4abff4ea05f3c5
              • Instruction ID: b4fc84ab0d6850e0a52f7fc73d16c981718c8ba0a99a3ccbc9ef812ff43c1830
              • Opcode Fuzzy Hash: 2b7bfe50671810207e842883e1587040ba8da6795bde7f768b4abff4ea05f3c5
              • Instruction Fuzzy Hash: 6C31C2715043118FE764CF19C840B6ABBE5FF98B00F054A6EF98497350D7B5E844CB95
              Function 01117190 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction ID: 54cff43b216bb8cd1205d9e800a1a942fe4ed1d3f6de88319b244ed24629d98f
              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction Fuzzy Hash: 67315A75604206CFC714CF1CC480956FBF6FF99314B2585A9E9589B359E730EE06CB92
              Function 010E438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51a3e46f46db1d120cf0eef2466e19154dbc27ec6fe0bfce8b866bb62a9e6d4a
              • Instruction ID: d12afa390cb433db154ab123a81b2cd83961903f1c37b814c6eaee3c5423c4d4
              • Opcode Fuzzy Hash: 51a3e46f46db1d120cf0eef2466e19154dbc27ec6fe0bfce8b866bb62a9e6d4a
              • Instruction Fuzzy Hash: 7B31D671B003059FD728EFBAC985A6E77F9AB94304F008529D586D7254DB30EA41CB90
              Function 010C92C5 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction ID: 4f60e0c43a289d7e37e93001d6800b3423c77537fd4a02708b406306f9dc5139
              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction Fuzzy Hash: 83318BB260821A9FC716DF18D840A9E7BE9FF99714F00056AFC919B3A1D730DC14CBA6
              Function 010BC156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5b934a7346820704224e90291cb92a84e106dd97b02a5f5c8d576f0e38fdb81
              • Instruction ID: 8de8f3e8ac183e750ad337020f1662223ff0105d859e4aff6ea238c33412b9c7
              • Opcode Fuzzy Hash: f5b934a7346820704224e90291cb92a84e106dd97b02a5f5c8d576f0e38fdb81
              • Instruction Fuzzy Hash: F7315BB15003018BDF29AF68DC85BA9B7B4AF50308F4486B9DD859B346EB34D981CB90
              Function 0117C3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: c2ac4f6f6583e1b2f5906a39cc99fb821f59077c983d4f0dcce3c219897ccaf6
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: FB21FB36A00657A6CB19AF95C800FFBBBB5EF90714F40841AFA968B791E734D950C7E0
              Function 010BE420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 723ba7e82ff396abddc595a0d20d750c8e778aafb5a450057b7d0a00fcb16c47
              • Instruction ID: 786a6434da520eb743ee60fd84cb29bc53240ccac7eb2219906b8579242301d4
              • Opcode Fuzzy Hash: 723ba7e82ff396abddc595a0d20d750c8e778aafb5a450057b7d0a00fcb16c47
              • Instruction Fuzzy Hash: 0C31D731A0152C9BDB35DF18CC81FEE77B9EB15740F0101E5E685AB290DBB49E808FA1
              Function 010F4588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 5ed17e5a34a9104b537f0b5c6b27f2edfc346864b8a2ee47b89103cb4a181b30
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: 25219F32A00609EBCB15CF58C981A8FBBF5FF4C714F148069EE59DB641D671EA058B90
              Function 010BE388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: c4134f81ff37fa63eb77521cfda286cecd056bacbad9b920bdf628c39672363a
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 5231AB31600605EFDB25DF68C888FAAB7F9FF45354F1045A9E5928B281E730EE02CB51
              Function 010FD530 Relevance: .1, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d244c628e9a3600e4c1c5a8612d5e7f5745e4f3adbec7f6026ea78f2f565f73
              • Instruction ID: 112a78ee47b1c8616e08e6ba70eab95f8b5190093fbbf5152175acc0f7934935
              • Opcode Fuzzy Hash: 7d244c628e9a3600e4c1c5a8612d5e7f5745e4f3adbec7f6026ea78f2f565f73
              • Instruction Fuzzy Hash: 6B2138B25043059BC725EB69C989F9B77E8FBA8654F000929FA95D7694EB30D800C7A2
              Function 010EF32A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction ID: 481c38d376f926fbf1455ba9f8db7056125bb8948cc3f8b57e39be1ed7f5606d
              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction Fuzzy Hash: C921D1722006069FD719CF2AC444B6ABBE9EF95360F1581ADE14A8B390EB70EC01CB94
              Function 0114019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c51ff72ff13f8dda64ceaa356186f93cf07f3017d801b082ad26a3e0c462111
              • Instruction ID: 43e72a14987dbe21c9ab4bca86946e3742fea3953bfb89ab23dfa17ad3d19a61
              • Opcode Fuzzy Hash: 9c51ff72ff13f8dda64ceaa356186f93cf07f3017d801b082ad26a3e0c462111
              • Instruction Fuzzy Hash: A4218D71A00645AFD719DB69D840FAAB7A8FF48740F140069FA44DB690D734ED40CB58
              Function 011671F9 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6085a5aab6a2f22f19c350a7ec0af886e821bf681d4552706b7a447a1d389b50
              • Instruction ID: 983bc56098bf60d6a231e3e27bea96ba7e854736ad625159d974eb7e0887b71c
              • Opcode Fuzzy Hash: 6085a5aab6a2f22f19c350a7ec0af886e821bf681d4552706b7a447a1d389b50
              • Instruction Fuzzy Hash: 06212831A047428BC329EF698840B6BB7EDEFD521CF10492DF8E683181DB71A8558792
              Function 01140283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b619b52fd3c2fc7104eb604e7742bcdead99f33f4d6dae6d6ed390e2fd0e4a62
              • Instruction ID: 22b7755439e8bee3f4543962b19a9ef49ba949650b79d8fb265d4f0b307e4514
              • Opcode Fuzzy Hash: b619b52fd3c2fc7104eb604e7742bcdead99f33f4d6dae6d6ed390e2fd0e4a62
              • Instruction Fuzzy Hash: 0E21B3B29083469FD715EF5AD844FDBBBDCAF94A44F08045ABE80CB291D734D904C7A2
              Function 0113D0C0 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction ID: 980dc89973ac9f6d301cc742670788b20c49d81c79103b610516f9523251547b
              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction Fuzzy Hash: 4521D472A44705ABD719DF28DC42B5BBBE4FF88760F41012EF9499B3A1D730D80087AA
              Function 010FA30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9c44964ca1a8c33db3051f852bb27b513693e4dd9fc316c33b5271f3639d833
              • Instruction ID: 0c6857260ab4de3d26283863c0b490db24973260ad516e17c248a0bbbcac711a
              • Opcode Fuzzy Hash: a9c44964ca1a8c33db3051f852bb27b513693e4dd9fc316c33b5271f3639d833
              • Instruction Fuzzy Hash: F0219A75200B01EBCB29DF29CD41B8677F5EF48B44F14846CA549CBB61E331E942CB94
              Function 011580A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: 3085576bed3125985f2d21acec13a3689547ad79389268e80ccbca8bdf34bd87
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: 88218C72A00209EFDF169F99CC80BAEBBB9EF88310F214419F960A7251D734D9509B50
              Function 010E15A9 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
              • Instruction ID: 5119bc5d48571561b9a2213fa70d4c280d81b25411aa501bb2b695a54091dfce
              • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
              • Instruction Fuzzy Hash: A7215772600696CFE72A9B5EE948B667BE9FF04340F0D00A1ED418BA92E734DC10C751
              Function 010F0124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: 5c3695b2a5c3d2ea004d913a34d2337dd362e3d4b15c76ba14c67bd69b442481
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: F411EF72640605AFE7229B48CC82FDABBB9EB80754F10406DFB448B580D671ED44CB60
              Function 0114D080 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 221c65f9be1b922f17152c6a8e373ecc3f78ac0cb6ae282a5c4629c7b0fcc1e5
              • Instruction ID: 99b7789e527e2559c4ea489025df8d875ae47663975e0dc3ef535cbb79c8a95a
              • Opcode Fuzzy Hash: 221c65f9be1b922f17152c6a8e373ecc3f78ac0cb6ae282a5c4629c7b0fcc1e5
              • Instruction Fuzzy Hash: 701148B2150341ABCF3BAB68DD80F6277A8EBA5F64F204438FA555B691DB30DC41C790
              Function 010C80E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ecdae61ee07d87901ca4c439c5f7addaf3b607c5327a301a7d4e73e9dc29e8c9
              • Instruction ID: 332776c5a5bff876155382ae8520d9edc1786fad6aecfc9b291faac8c167c027
              • Opcode Fuzzy Hash: ecdae61ee07d87901ca4c439c5f7addaf3b607c5327a301a7d4e73e9dc29e8c9
              • Instruction Fuzzy Hash: 5F215E75A00205DFCB14CF58C591AAEBBF9FB88714F2481AED545AB351C771AD06CF90
              Function 010B9240 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d0214d45e09217251121b3d7d448b05c26f837c9dc57acf76fc007884c6192e
              • Instruction ID: 4238c93e49c93fe55ea0a84aa3e924a091b5ef0e9b5f158adfa3f7fe2c1cfcb0
              • Opcode Fuzzy Hash: 1d0214d45e09217251121b3d7d448b05c26f837c9dc57acf76fc007884c6192e
              • Instruction Fuzzy Hash: 8B11277B020601AAD73D9F55D981A7277F8FBA8B80F108135E92097358E334DD81CB68
              Function 0114D250 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 11f4f1151b9ea88945771e8f8668ae51da9685a29a703ceca58b1c1a45911f74
              • Instruction ID: 825528f59befb415a3d461fd97df49e4b84b9347fb9bf60ad13f5fb17056fe36
              • Opcode Fuzzy Hash: 11f4f1151b9ea88945771e8f8668ae51da9685a29a703ceca58b1c1a45911f74
              • Instruction Fuzzy Hash: 2101226360031017DE3A56E9A8C5FEB7618ABB5EB0F160638FE545B241DB28C881C3A1
              Function 010EB052 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49fb09f48e9527864bf696d6a84cde51a8e0309b3c4ea7635dab9249f7854a3a
              • Instruction ID: 12dd485a16bad1e47881be524d174561ce2d3fea3aefc4d0404c1016f4cfefd1
              • Opcode Fuzzy Hash: 49fb09f48e9527864bf696d6a84cde51a8e0309b3c4ea7635dab9249f7854a3a
              • Instruction Fuzzy Hash: F801D672B00301AFD710AB6B9C84FAFBEE8DFD4214F040068F745C3241E770E9008661
              Function 010B7330 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d964c81fcf90e8e135a92f7fcea934b4843b73b965520b0642dc0fb5bbf41016
              • Instruction ID: 425483e61b81de81f2f9032718df4d2269825e582af88d3a20c1626e61939589
              • Opcode Fuzzy Hash: d964c81fcf90e8e135a92f7fcea934b4843b73b965520b0642dc0fb5bbf41016
              • Instruction Fuzzy Hash: 7D11A0716057159FE722CF68C882BAB77E8EB84704F058469EAC5D7291D735EC00CBA0
              Function 010EE53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: 1f72032131f3849e25e2c8f23c5b2d01e33a2648e033754d4838839f90e3b3e6
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: 8C11E5722017D79FEB27972DD958B653BE4EB00744F1900E0EE818B682F328C853C655
              Function 010EF2D0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2278bf854e714eb7cb3771b5c76313809ede348438037b081aae36311513ef93
              • Instruction ID: 0d8fd67a273670457faa0ab13a9b33f05a3b438fad20958bd2dfa029172f3007
              • Opcode Fuzzy Hash: 2278bf854e714eb7cb3771b5c76313809ede348438037b081aae36311513ef93
              • Instruction Fuzzy Hash: D2112171A016499FC721DF69C888BAEB7E8FF88700F1440BAE941EB685DB38D900CB50
              Function 011572A0 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction ID: e0bad48306404e2a4ec122a554be7068d70cd581ba7a6beb5f8a98eb853c2cc8
              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction Fuzzy Hash: 5F01B57214050AFFE72AAF56CC85EA2FB6DFF64794B400525F650465E0C771ACA0CBA4
              Function 010BA250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: 669b87d06ea0e589b905594a43e3b6851d594ee523141f8cf6123c2851ec232b
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: 7701C471605B21DBDB618F1D9880AAA7BE5EB55770B00856DFDD58B681E731D400CBA0
              Function 0113E1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3a7eaa01f3ef78be0954dd68075ae6b42e7501c978dc67a76643e13dffa9adab
              • Instruction ID: ff1e6322892ca4cdc9dd81c1eb72f49ec5566b2f4c23e0e0ba41cb7a173542a6
              • Opcode Fuzzy Hash: 3a7eaa01f3ef78be0954dd68075ae6b42e7501c978dc67a76643e13dffa9adab
              • Instruction Fuzzy Hash: F1118E31242345EFDB1AEF19C990F5A7BB8FF94B54F100065E9059B661C375ED01CA90
              Function 010C6259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52294a5c863853a096d5b39639ae5597b937c6e24a004c6e165e5ea19fa4d307
              • Instruction ID: 02c8a91c989fcc2c094d05a2194ecccad30a52576adc7b641a0d54919db675df
              • Opcode Fuzzy Hash: 52294a5c863853a096d5b39639ae5597b937c6e24a004c6e165e5ea19fa4d307
              • Instruction Fuzzy Hash: B8119E7090162CABDB3AEB64CC42FEDB3B4AB08714F5041D4A314A61E0DB709E81CF84
              Function 01146050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3074932ca92eb0ffcb173f87ce1eb6875638bce2379d48644efe997b98d4048a
              • Instruction ID: dd8c73ab89ef412d01e719ea103d641eb2925c8cf07f9f3432f21661fdd41d32
              • Opcode Fuzzy Hash: 3074932ca92eb0ffcb173f87ce1eb6875638bce2379d48644efe997b98d4048a
              • Instruction Fuzzy Hash: 8E111B72900119ABCB16DB94CC80DDFB77CEF48258F044166A906A7211EA34AA55CBE0
              Function 010C208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 0e4e961638743a2f9f7e7b283cb74974d8f4eb2e29024066a96d75bcf01eba6d
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 3101F5322002118BDF159B6DD880B9AB7A6BFC4B00F2541AAED858F24BDA718881DB90
              Function 01156500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba5e8b1679e6a57328916764d5acd4d021c0f0d6d526d319a97d7e2076380f5e
              • Instruction ID: d4ea5cac08267b82762fa0d16207a95522c618ac2b25ce6f0b5296bed0217020
              • Opcode Fuzzy Hash: ba5e8b1679e6a57328916764d5acd4d021c0f0d6d526d319a97d7e2076380f5e
              • Instruction Fuzzy Hash: CF11E132690146DFC349CF28D800BA6BBB9FB5A348F488159EC588B315D732EC81CBE0
              Function 010BC020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 45f2c95d50d4aa948ced80ef2aa1444cd466a7b1dbb23bb95ecb1d50fb92bb89
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: CF012D321007059FEF669669D544FE7B7F9FFD5214F044429A6958B540DB70E402CB51
              Function 011020F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f55f7149946fe03154be8ebc1965950dac539d1e7437cfeed3eb62893e563d3
              • Instruction ID: 9da290952866d91470579d44cb70e2c547ba50027f7e3f75afb897eb24193e73
              • Opcode Fuzzy Hash: 1f55f7149946fe03154be8ebc1965950dac539d1e7437cfeed3eb62893e563d3
              • Instruction Fuzzy Hash: EC116D75E0120DAFDB0AEF64D854FAE7BB5EF84644F004059EA019B290DB75AE11CB91
              Function 010FE5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7e1d823914e16f255c749f4e09211102cd0985e8dca45d6f81b1fb8d6880997
              • Instruction ID: f88de7988ebb10f37b4a91857b9c9f43844a825836ef589c9001b067ebebaf54
              • Opcode Fuzzy Hash: c7e1d823914e16f255c749f4e09211102cd0985e8dca45d6f81b1fb8d6880997
              • Instruction Fuzzy Hash: 4001F7B1200B097FC315BB79CD80E97B7ACFF946547000629B50583561DB34EC11C6E0
              Function 010B9353 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction ID: 12ad7423f6d15387f519894cea496ff4ec16e20193ba69b9d24722f420611755
              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction Fuzzy Hash: 2A11A1B2401B02DFD7329F15C8C0B62B7E4BF50B66F15D86CE6C94A4A6C379E880CB10
              Function 010FD1D0 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction ID: 374002139ac0ab840861fd73ccc96ac8d91de5811f7a34f7c96e51a13acc5dea
              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction Fuzzy Hash: AD017B7AA001059BFB56EB98E801F6A73A9EBE4735F10415EFF518BA80CB34D901C7D1
              Function 010E33A5 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction ID: e2c486cb1c836c72badea93c034ed0f4e20cb38237d56b10a202c5dbbb8e5a2f
              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction Fuzzy Hash: 7701D676700205AFCB1A9AABCC04E9F7EFCBF84650B144429BB45DB260EE30E901CB60
              Function 0117F5BE Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50361d0c82bb21a79e3c2857b24a7baf7273cb8f79fd5a16dbb40cd583bbe53d
              • Instruction ID: a6f50e6d0cf3e1ed35f0a20430e257d9855dfab847512dc7028a732b56ef2885
              • Opcode Fuzzy Hash: 50361d0c82bb21a79e3c2857b24a7baf7273cb8f79fd5a16dbb40cd583bbe53d
              • Instruction Fuzzy Hash: F4017171E11249AFDB18EF69D851FAEBBB8EF44704F004066BA14EB390D7B4DA01CB95
              Function 0117F453 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20a8d0431984f17f84472c4ba004127cb3cb4a6735b943c22510ed4db3b4ccc
              • Instruction ID: 4b97fcba70203c528ddb3c7f2449f7207d4dbbc60720383bdf688c6aa4155ff1
              • Opcode Fuzzy Hash: e20a8d0431984f17f84472c4ba004127cb3cb4a6735b943c22510ed4db3b4ccc
              • Instruction Fuzzy Hash: 9E015E71E11249AFDB18EF69D841FAEBBB8EF44714F004066B914EB381D7B4DA01CB95
              Function 010DE016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: b0ce9d4f94b6bf8e4600e86581d6ae7f79a7103cbc722cffab8f83006dc939d4
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 8501DF322146849FE32A872DC908F2ABBD8EF44B44F0900B1FA45CF691D738DC80C621
              Function 010B826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c562cb31d2cf5c3bf596a28b199a905d6825c11d7f46cd885c2db836f6672eab
              • Instruction ID: e147111640723ebe869d9bbd52e507eb95b3b26d821e52d7b9b8682c99d44281
              • Opcode Fuzzy Hash: c562cb31d2cf5c3bf596a28b199a905d6825c11d7f46cd885c2db836f6672eab
              • Instruction Fuzzy Hash: 6401DF31A14505ABC71CEB6AD8809EEB7BDEF80620F05806ADA01A76A0DF30E902C690
              Function 0117F367 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 658ebfe848767bf1ba769328c5f3eb62787025ba5ecdc4fd8b7a807e698cf918
              • Instruction ID: 67499f93a379d2d7e79da59ceb1a8344ac648d9a935fb8d05eaf9aa3914811df
              • Opcode Fuzzy Hash: 658ebfe848767bf1ba769328c5f3eb62787025ba5ecdc4fd8b7a807e698cf918
              • Instruction Fuzzy Hash: E9018471E11259AFD718EBA9D855FAF7BB8EF54704F004066B510EB3C0D6B4D901C794
              Function 010C2582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d336715f02088652cef7401ab0fcc1fdeac12cf0d49b0890c7f05c7db0716ebb
              • Instruction ID: e501fca1e572d9522aa96c0a18f507211fd577ba1fa3743397d056be5ae5cfe6
              • Opcode Fuzzy Hash: d336715f02088652cef7401ab0fcc1fdeac12cf0d49b0890c7f05c7db0716ebb
              • Instruction Fuzzy Hash: 12F0F432B41B25B7C7359B5A8D40F5BBAA9EB94FA0F00402CA64597600CA30ED01CBB0
              Function 01195152 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 597f0aca15a5cefb6b0751c670eb0d274bc40fe9fb3680e42c3549780e040e2c
              • Instruction ID: e4e024e5663c73b0c0115ef44e5309cd5141a4590e26801e5a5047f3cba27223
              • Opcode Fuzzy Hash: 597f0aca15a5cefb6b0751c670eb0d274bc40fe9fb3680e42c3549780e040e2c
              • Instruction Fuzzy Hash: 730121B1E112099FDB05DF69D9419DEBBF8FF58304F10406AE910F7390D7749A018BA5
              Function 01195060 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92cdf1244fe69bf2ac627ebf11bb9e3e22c449e85f568a8d452bea45087c2bf1
              • Instruction ID: 47f45b14e663c38a0107fb9b3f05a04339b5d98670943b5f4d25bd471a3b09c4
              • Opcode Fuzzy Hash: 92cdf1244fe69bf2ac627ebf11bb9e3e22c449e85f568a8d452bea45087c2bf1
              • Instruction Fuzzy Hash: FF017171A112099FCB05DF69D9819EEB7F8FF48304F10405AF900F7381D774AA018BA5
              Function 010EC073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: d5a2e68cdcc854230b445e33b760e7fb78a1ffbea9f44c2a8259354b6da02f75
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 2DF0C2B2A00615AFE328CF4EDD40E57FBEEDBD5A80F048168E549C7220EA31DD04CB90
              Function 011950D9 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aeb303c76532b26d06d709b2a806934bd9244de76e19cffdec1469543b88789f
              • Instruction ID: 6cf86bf2d412648bbacfa041971ddca44e9a89eb719c8ac22c6617b1aff47856
              • Opcode Fuzzy Hash: aeb303c76532b26d06d709b2a806934bd9244de76e19cffdec1469543b88789f
              • Instruction Fuzzy Hash: A10171B1A00209AFCB05DF69D9419DEB7F8FF48344F10406AE510F7380D77499018BA4
              Function 010BC310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: be3259422875d80e9ad87eee374ad4ee48733744aac1ec37fb9e10b01afcd26f
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 0CF08B33206A339BF732165D49C0BEFAAD58FE1F64F1A4036F2899B304CA648D0293D0
              Function 01195537 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22e4dd3910bc7de760c5c21bca183ad9fdb1e1022b3bed976c647e6baa189a61
              • Instruction ID: 6dd6d3b9e31ecd309d06c80fe9c7431d3a20f9a58f5ebe213da1409485c2165f
              • Opcode Fuzzy Hash: 22e4dd3910bc7de760c5c21bca183ad9fdb1e1022b3bed976c647e6baa189a61
              • Instruction Fuzzy Hash: 5D110970A1024ADFDB48DFA9D541BAEBBF4BF08204F04426AE518EB782E734D9418B94
              Function 011961E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4bf4982da0e9c4cfa21f13d7fd1de102cce3aeba277196498e6d3f8cdbb32ef1
              • Instruction ID: fb1292d838e491e6efd2a1de5a4deb0c308a432e3cd64ea6667870edade1d7ae
              • Opcode Fuzzy Hash: 4bf4982da0e9c4cfa21f13d7fd1de102cce3aeba277196498e6d3f8cdbb32ef1
              • Instruction Fuzzy Hash: F6018F71E012499FCF08DFA9D441EEEBBF8BF58714F14405AE500AB280D774EA01CBA9
              Function 011463C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: 33044441ad4d4b0b2c00794eb3f19ad6af76c79b35e331849e0266df2514a164
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: 59F01D7220011DBFEF019F95DD80DEF7BBEEB596A8B104125FA1196160D731DD21EBA0
              Function 0117F2F8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 516ee50c50eb026639d7f6d7ef2294acbefff90574947e1aff6001004635ce2f
              • Instruction ID: fe9d673746b8bd54568d23dc8e32b41e8bdc1042c2085b51d72461ec879825c3
              • Opcode Fuzzy Hash: 516ee50c50eb026639d7f6d7ef2294acbefff90574947e1aff6001004635ce2f
              • Instruction Fuzzy Hash: FFF0F472E14209AFD708DBB9C405AEFB7B8EF04300F008066E511EB280DA70DA018751
              Function 010F724D Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction ID: 87dcdde71aad7d99e8fc7a99e8a268fd18345671b87234599ea01e2b0897aaf1
              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction Fuzzy Hash: 23F04679A012566BFB94D7AC8941FEFBBE8AF80610F088099FB41D7940D738EA40C751
              Function 010BC0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 344fc9e0f40109c715e77e1b07b0710bba9e3afa910d370399a73248c04dbc55
              • Instruction ID: 749eab630fbee3b47bac0e70b42798d1682b3dca59270fa90401930cd9829cda
              • Opcode Fuzzy Hash: 344fc9e0f40109c715e77e1b07b0710bba9e3afa910d370399a73248c04dbc55
              • Instruction Fuzzy Hash: 2CF08B322002415BF7949208CD51BA232D5E7D1650F288469E7849F2C0E9B0CC018794
              Function 011953FC Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2bfe0637f88563f7398603fc7713687df3e01e518bad9d9c51a56c32884de2ed
              • Instruction ID: 9072a15db55ef5eea028d29116eac7156d54f7ab362510a427ba493f749a7c7b
              • Opcode Fuzzy Hash: 2bfe0637f88563f7398603fc7713687df3e01e518bad9d9c51a56c32884de2ed
              • Instruction Fuzzy Hash: 6B017170E0020ADFDB48DFA9D541B9EF7F4FF08304F008166A519EB781E7749A418B91
              Function 010F656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5894004b77460ceb52c65737aeba62ea9f5a621cc1d880b9d5bd042b897b4283
              • Instruction ID: 920b35945aca78a97dce75edcc261b7d29d0877f1190a98582c49fd440419d52
              • Opcode Fuzzy Hash: 5894004b77460ceb52c65737aeba62ea9f5a621cc1d880b9d5bd042b897b4283
              • Instruction Fuzzy Hash: EB01A470204B819BE36BA73CDD4DF6937E4BB40F04F480694BB41DBED6D769D4418615
              Function 0116437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: 7e16f2fbc15599124a24385ea26509b9deada3c7c1abeb36d9a99cde8790acfa
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 9CF02E35349E3347EB3DAA2F8810B2FBA9E9F90E00B05052C9A41CBE80DF21DC10C780
              Function 0117F3E6 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ec9a87a33b92fa86bf6a4497c3e92e469a2adb573e78cbf827ccb44b4a426ca
              • Instruction ID: 528765454dac69b6f8ad5fca5d0bf5d2b8504a9a1d9031e6bf2eeaf36ddc8ac0
              • Opcode Fuzzy Hash: 1ec9a87a33b92fa86bf6a4497c3e92e469a2adb573e78cbf827ccb44b4a426ca
              • Instruction Fuzzy Hash: D8F0A970E01209AFCB08EFA9D545A9EBBF4FF08300F408069B955EB381E774EA01CB54
              Function 010B92FF Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 549ff1e5a7747d726e5f3839d1a5d2fdad1836a2575b454b879e54098f56b109
              • Instruction ID: 4f44ce3cea41579d2c06f63e4567f6fb3ef7845f73432d10c6a3383f5fb7ba3c
              • Opcode Fuzzy Hash: 549ff1e5a7747d726e5f3839d1a5d2fdad1836a2575b454b879e54098f56b109
              • Instruction Fuzzy Hash: A2F0FAB2200748ABD731AB09CC04F9ABBEDEF94B14F18016CA68283190C6A1A909C760
              Function 011955C9 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33ebc4d71f1f2e074cbd93d1bac0bfb198cef0d5553521ca16b39c32dd4479df
              • Instruction ID: 49583747c773eb7e7602f721f594c60a5388ef5ac7ab1e5af6139c4583424b64
              • Opcode Fuzzy Hash: 33ebc4d71f1f2e074cbd93d1bac0bfb198cef0d5553521ca16b39c32dd4479df
              • Instruction Fuzzy Hash: F8F08C74A00209AFCB08EFA9E545A9EB7F4FF18300F10806AB915EB380D774DA00CB54
              Function 01180115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8272032ab4f869fbb759104e1e219b05fccaefd50e0379042c3f623906690a2d
              • Instruction ID: 6f19b045fa4d2a13de06970a7f44788dd649ff1759716bde5b6efaa264d835e2
              • Opcode Fuzzy Hash: 8272032ab4f869fbb759104e1e219b05fccaefd50e0379042c3f623906690a2d
              • Instruction Fuzzy Hash: D4F027264156890ADF3E7B2C78D02D13B65A769124F095055E4B067209C774C8C7CB20
              Function 0119539D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 209ca5cfba31510789a7895a383fcc4de42d15a979f87ddae5cea3238d90db12
              • Instruction ID: 9454f8daf1f8baa716e209ca73040634b325fa758a3abc27023584e6a85797d0
              • Opcode Fuzzy Hash: 209ca5cfba31510789a7895a383fcc4de42d15a979f87ddae5cea3238d90db12
              • Instruction Fuzzy Hash: F0F05E70E1424DAFDB09EBB9D545FAEB7B4AF18304F108069E611EB291DAB4DA018B15
              Function 01195283 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb353cc39e94f552dd9dc43f460dd71973912e6e0389a81348080904c65b4944
              • Instruction ID: 6ac32a07ea4fad6a6494fd419d306bef8effbd1dfc9873f82d54952e85fc1167
              • Opcode Fuzzy Hash: bb353cc39e94f552dd9dc43f460dd71973912e6e0389a81348080904c65b4944
              • Instruction Fuzzy Hash: 8CF0BE70E10309EFDB09EBA9E541EAEB7F4BF14304F0044A9B951EB2C1EB74D9008B54
              Function 011952E2 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33da89e2dce7441d818e4391f98be48d2dd449a90ec3f113c6ef53ea4553e0a8
              • Instruction ID: 7913968235695949a69f0983290c82f0a34d67c377bd1751b667a047eafaee78
              • Opcode Fuzzy Hash: 33da89e2dce7441d818e4391f98be48d2dd449a90ec3f113c6ef53ea4553e0a8
              • Instruction Fuzzy Hash: 6CF0BE70A14249AFDB09EFB9E541EAEB7B4BF14304F004069A911EB2C0EB74DA00CB14
              Function 010FC5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12e408d3feab76e3b61f2db1930c5956edb8f719adc42dbb7b9f2442472a9b1c
              • Instruction ID: 6587e49b594246c33a893a5dabf3bc9220b086792e09bb634c4b05dcd88bc9f6
              • Opcode Fuzzy Hash: 12e408d3feab76e3b61f2db1930c5956edb8f719adc42dbb7b9f2442472a9b1c
              • Instruction Fuzzy Hash: A4F02E715192999BF7A2861CC30BF517BD49B0CAA0F0894AAC6C283E02C220E880CA40
              Function 011951CB Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ac5f1cb13c1be76095b5406bc776253a2144fd3ebe9c77cee6fe0b16427ff60
              • Instruction ID: f39ef45dc019bbacdabb48ee5cdd4bed6c835401f35d6530bf17aa581b35d03f
              • Opcode Fuzzy Hash: 0ac5f1cb13c1be76095b5406bc776253a2144fd3ebe9c77cee6fe0b16427ff60
              • Instruction Fuzzy Hash: B1F082B0A15249EFDB09EBB9D545E6E77B4BF04308F040059BA11EB2D0EB74D900C759
              Function 0113D070 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction ID: 216262083dcaadde8ebede143f97159338012d49bd436c160ea062d3df65842c
              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction Fuzzy Hash: D1F0E53350461467C231AA498C05F9BFBACDBE5B70F10031ABA649B1D0DA70E911C7D6
              Function 01195341 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f88747dd81ede90b8b9d91035eb922def52699e12daddcf61b886288341f8c59
              • Instruction ID: 05fb4b848f84a0302ac55d6d3c4b38198728fb86c601ee60acac066a03a12a88
              • Opcode Fuzzy Hash: f88747dd81ede90b8b9d91035eb922def52699e12daddcf61b886288341f8c59
              • Instruction Fuzzy Hash: 1CF0E270E04209AFCB09EBA9D545E9E77B4AF09304F100059A511FB2D0EA74DA008718
              Function 010F7208 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 550e07f8a8ae2a60ab2f4fae8dcbf36f61bc36d2d879aaedbfe8b918d6d83e4f
              • Instruction ID: 6081211f1898691cb76212a3b03613c1860eab088866d5cc99de510b418fdfff
              • Opcode Fuzzy Hash: 550e07f8a8ae2a60ab2f4fae8dcbf36f61bc36d2d879aaedbfe8b918d6d83e4f
              • Instruction Fuzzy Hash: 47F02072E226999FDB36C71CC184B2277E89B80A30F088160E4098BEA2C338D880C290
              Function 01195227 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8e9b906f04c5146cfd7127e546c190443080f44e9210779c2babe7498adf37b
              • Instruction ID: ba5ed1d5083e2e4453d5b1ba025c0ed4f2f84fe15965c971b250a7414b3d110e
              • Opcode Fuzzy Hash: d8e9b906f04c5146cfd7127e546c190443080f44e9210779c2babe7498adf37b
              • Instruction Fuzzy Hash: A4F0E270E15209EFDB09EBA8E541EAE73B4BF04304F000099BA11EB2C0EB70D9008758
              Function 01156030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: 7e13863c1fb5a9bb1f7f7b2ed3e69d90327c4805dbb6055050ec1a3941993d74
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: 75F06572104204DFE3699F09DD44F52B7F8EB05365F96C025EA199B561D379EC40CBE4
              Function 010F55C0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
              • Instruction ID: 423374ec1e9c4ee8748c0bbbe2343d72a181cb3a48274b54e469a0f2721b38ec
              • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
              • Instruction Fuzzy Hash: 5CE0E533514614ABC2211A0ADC09F16BB69FFA0BB0F104119E298579908774A811CBD4
              Function 010C25E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2dced52e8800c02eadabe4105438a187c7554f9c0e795f1d635717dbd1874542
              • Instruction ID: 680a4650c292ef5062814784e9150072f8fdc3bcf498c1505d1f29020ff502f6
              • Opcode Fuzzy Hash: 2dced52e8800c02eadabe4105438a187c7554f9c0e795f1d635717dbd1874542
              • Instruction Fuzzy Hash: BCE09272100A549BC326BB29DD15FCA779AEB64764F014529F15597190CB34A850CB94
              Function 01144000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: cc240cf008e8aeb5311967299ba64434c93e19a9d5317ca721512763f7c5cb7f
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 55E0C2343003058FE719CF19C040BA27BB6BFD5A10F28C068A9488F605EB33E852CB40
              Function 0117B3D0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction ID: 9b18a2b0bd764b5a8b769251ec247094606bcb241ce43d5b99efcd95afec89b5
              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction Fuzzy Hash: D4E0C231288219BBDB262A44CC00FA97B25EB60BA0F104031FA496A790C775AC91D7D8
              Function 010B823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: 58f57d7aa300358c05ab6c892b71707eec8769a64e2b0eac52415d1aa99bc76f
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 1EE0C231404E25EFDB363F16DC44F9576A9FF58B10F14882AE1C10A0B4C7B4AC81CB44
              Function 010C2050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42f8a369b812e59827bcfcd9d5e1c41a899fecd46d29bf29f16ad2ddbdd41aec
              • Instruction ID: 2951800ecd747d0ccfc2c4f400d9cfc64155826e34570222680cfc33e030aa3b
              • Opcode Fuzzy Hash: 42f8a369b812e59827bcfcd9d5e1c41a899fecd46d29bf29f16ad2ddbdd41aec
              • Instruction Fuzzy Hash: 36E08C32100564ABC211FB5DDD50F8A739AEBA4660F000125F1918B690CA20AC40CB94
              Function 011492BC Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc5db43be89a157df89bc51be530cf5d42bd30894dba08d4a68f04eebdfab6dd
              • Instruction ID: 7a7aa3acb638f0e573ca9a9d8eda74e485ed10ebaf73cf67ec3731ca363391f5
              • Opcode Fuzzy Hash: fc5db43be89a157df89bc51be530cf5d42bd30894dba08d4a68f04eebdfab6dd
              • Instruction Fuzzy Hash: 29F0C974255B84CBE62EDF08C1E1B5277B9F759B44F500468D4464BBA5C73AA941CB40
              Function 010BB562 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
              • Instruction ID: 9c872434a4cfe83b07076d0e7d5282f764bbc9ed894dffe3a41c269f1a65c989
              • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
              • Instruction Fuzzy Hash: F0D05B31161655AFD7316F15EE45FC27AB5AF90F10F0505587181164F08565DD84C691
              Function 010FE59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 970dd3b3c8e17fb52561004913e76f8ec2b0dc8a3445bc41578d87bd48ae0a24
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: 16D0A932204A28ABD732AA1CFC00FC333E8BB88720F060459B008CB050C3A0AC81CA84
              Function 010BA0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: ba496ee634c882761525fbe9166fb621853a937c417ec66ffdf887267be2b772
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 54D02232322070D7CB3857556840FE76905EB80A90F0A006D340A93800C0058C82C2E0
              Function 010D02A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: 477a968a0da935ae8058236d77ef6dba0ccd5d185319ad2db0faab5b993d2083
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: 4BD09235612E80CFD65ACB0CC5A4B2533E4BB84A44F8104E0E445CBB26D628E950CA00
              Function 0114930B Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction ID: bda93838786eabac63882d7aa6af37c46af547f51289fe795ca4a0461dd6c061
              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction Fuzzy Hash: 8CD05E35945AC8CFE72BCB18C165B517BF4F70AF44F851098E04247BA2C37C9984CB00
              Function 010E0310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: bff56f7bca8b667f83ac3c5607c5b5f703418733df1e7d047e24966c02f4e3fe
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 89D01236200248EFCB01DF51C890D9A776AFBD8710F108019FD19076118A75ED62DA50
              Function 010E340D Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
              • Instruction ID: f7daa0be978e47c6c3228edde6b8ce465b2bef0bfe27e83cb4b786dfb3a0be12
              • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
              • Instruction Fuzzy Hash: C6C08CF81416896EEB2B5746C908B3A3ED0BB00606F8411DCBBC02E4B2C768A8028318
              Function 01103010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2f6e64b4a47feaa60a8627b593e6438c3e4bf40225855da5d28cb478a300814
              • Instruction ID: ba2ee439b051f058ac9b72c3befa8ba3ead4d6deb9d92c922ae926c20d4b3b33
              • Opcode Fuzzy Hash: c2f6e64b4a47feaa60a8627b593e6438c3e4bf40225855da5d28cb478a300814
              • Instruction Fuzzy Hash: 3A90022224184443D14472585904B0F910597E2202F95C029A4157554CCB1589555721
              Function 01103090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24b57115ff2b8623ef7bdf8deb69003de406a28ef06cc4559150d4375119cd93
              • Instruction ID: 9ff1019f4df565ef91e79f655176ada9e6cf997fc154deb8236911a6644cdc5b
              • Opcode Fuzzy Hash: 24b57115ff2b8623ef7bdf8deb69003de406a28ef06cc4559150d4375119cd93
              • Instruction Fuzzy Hash: 6C90022228140803D144715895147075006D7D1601F55C021A0025554DC7168A6567B1
              Function 01104340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 336711d991a7d5b804dc5397dbcb25f8067e8f516a1f2ac9b84d5ace1bf08c5b
              • Instruction ID: 6ec35449439df6366f94fec8566b0ee965970dc0b6282e12473d8c69a02d0df5
              • Opcode Fuzzy Hash: 336711d991a7d5b804dc5397dbcb25f8067e8f516a1f2ac9b84d5ace1bf08c5b
              • Instruction Fuzzy Hash: 0E900232645800139144715859845469005A7E1301B55C021E0425554CCB148A565361
              Function 01104650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 94c46c9aa6db852f567e6040c08504f5736a730b9eef307f468f32d28184449a
              • Instruction ID: 82ccc2b3fa0c1030cfe64393dba005efcba6c4be80408e0bc750da9cd9f3b995
              • Opcode Fuzzy Hash: 94c46c9aa6db852f567e6040c08504f5736a730b9eef307f468f32d28184449a
              • Instruction Fuzzy Hash: 3F90026264150043414471585904406B005A7E2301395C125A0555560CC71889559369
              Function 011039B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cd53e7c9bbfbf0876734f7bf2a8202224d1aebd3f7b48bb2fa6523422756a72
              • Instruction ID: 74b9ef6855463ccaedf3495868ae146c0453b58f9c0941cad428be937e43eb05
              • Opcode Fuzzy Hash: 8cd53e7c9bbfbf0876734f7bf2a8202224d1aebd3f7b48bb2fa6523422756a72
              • Instruction Fuzzy Hash: 3990022228545103D154715C55046169005B7E1201F55C031A0815594DC75589556321
              Function 01102B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1eb63bc0a31705b8b50c71cf350c5bbdaf0718040e10bc9fba9c1a85ea39fc92
              • Instruction ID: 380b514f1b228bc081d75c17ae9254c2119d2321acb5c64e8da0945d2a3bd4e4
              • Opcode Fuzzy Hash: 1eb63bc0a31705b8b50c71cf350c5bbdaf0718040e10bc9fba9c1a85ea39fc92
              • Instruction Fuzzy Hash: 9B90026224240003410971585514616900A97E1201B55C031E1015590DC72589916225
              Function 01102B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2661a12015ab8e791fa8ab491730d49148a19d7b7b0c3a2ce83b8e22292defae
              • Instruction ID: ff12f416a7574b72802b2f7718b4ce3e5a0856b1c7c290d9faea54c10fbf0769
              • Opcode Fuzzy Hash: 2661a12015ab8e791fa8ab491730d49148a19d7b7b0c3a2ce83b8e22292defae
              • Instruction Fuzzy Hash: 9390023224140803D10871585904686500597D1301F55C021A6025655ED76589917231
              Function 01102BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 568af7d27fb556a5a731716940bec982d98acbaedc2f1392601c4a6edefd1f7b
              • Instruction ID: 550810e239b6f4b896545221ce01addd27b3723161648bd3776f7040be106d7b
              • Opcode Fuzzy Hash: 568af7d27fb556a5a731716940bec982d98acbaedc2f1392601c4a6edefd1f7b
              • Instruction Fuzzy Hash: 7D90043374540C03D154715C55147475005D7D1301F55C031F0035754DC755CF5577F1
              Function 01102BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1623aa7e25c4266ea722206d5babad02515c3f86758c16eb13be7d051b3a3ee7
              • Instruction ID: a97d590cc2441fe97374a348ef225c0c7b530a9c885c9f327d0efe79fc82d833
              • Opcode Fuzzy Hash: 1623aa7e25c4266ea722206d5babad02515c3f86758c16eb13be7d051b3a3ee7
              • Instruction Fuzzy Hash: 1090023224140803D1847158550464A500597D2301F95C025A0026654DCB158B5977A1
              Function 01102BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b2f64c39ece18165fa99610b6d1ed4522c736752b10eedcdb90fa9037a29eae
              • Instruction ID: 97877d6c91219591bd12e7d1dd2b4eac425d77bcdf2bdc6e0c3c4c335419a7e2
              • Opcode Fuzzy Hash: 1b2f64c39ece18165fa99610b6d1ed4522c736752b10eedcdb90fa9037a29eae
              • Instruction Fuzzy Hash: F590023224544843D14471585504A46501597D1305F55C021A0065694DD7258E55B761
              Function 01102AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc860519aa00df43a2a73c607d944888fcc2f84d36e6c6ce6bf7f6fcb9593392
              • Instruction ID: c9c530cb973e42d95beb1f9e224c5bf2cd66ff089d1ff0983ff058172db95bbe
              • Opcode Fuzzy Hash: fc860519aa00df43a2a73c607d944888fcc2f84d36e6c6ce6bf7f6fcb9593392
              • Instruction Fuzzy Hash: 799002A2241540934504B2589504B0A950597E1201B55C026E1055560CC72589519235
              Function 01102AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4902618203c84a710a8302ec44253152e3bbfbddbe42948af5055c18d0b3a7cc
              • Instruction ID: bb80ee6a644a4d13a241bcf70687e77adda06130dc58ec189013a52a0ca52534
              • Opcode Fuzzy Hash: 4902618203c84a710a8302ec44253152e3bbfbddbe42948af5055c18d0b3a7cc
              • Instruction Fuzzy Hash: FA90043735140003010DF55C17045075047D7D7351355C031F1017550CD731CD715331
              Function 01102AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f1d5078d01bd52d9d0181bd0efcc163ba2b31800a71a432d461cc0e37b7ff04
              • Instruction ID: dc4be5a693b4d38fe544e53a4140bcc043192ba89b111bd58d33c8bb7d61e163
              • Opcode Fuzzy Hash: 2f1d5078d01bd52d9d0181bd0efcc163ba2b31800a71a432d461cc0e37b7ff04
              • Instruction Fuzzy Hash: 33900226261400030149B558170450B5445A7D7351395C025F1417590CC72189655321
              Function 01102D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef9038fa33cb8374523abc3e5b788f83910b3f494c4b44705fac9a0ef2255aa6
              • Instruction ID: 47ec783c13350d00c6fecb8df1eda0765404297098ef74f093caedf616d7b3c8
              • Opcode Fuzzy Hash: ef9038fa33cb8374523abc3e5b788f83910b3f494c4b44705fac9a0ef2255aa6
              • Instruction Fuzzy Hash: 7390022A25340003D1847158650860A500597D2202F95D425A0016558CCB1589695321
              Function 01103D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04e88cae0ce05dc008b693059aa2b89eceeb18fc97fb84e433be412c331ee26c
              • Instruction ID: ebc52a100e29200ec724765ea6f91da961181937cb5dd548493885820925476b
              • Opcode Fuzzy Hash: 04e88cae0ce05dc008b693059aa2b89eceeb18fc97fb84e433be412c331ee26c
              • Instruction Fuzzy Hash: 1090023224240143954472586904A4E910597E2302B95D425A0016554CCB1489615321
              Function 01102D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9679a6bc2eb015a7cc0f030e7cd8a0885b52ee20e17825562b0800319facff9d
              • Instruction ID: 5f2916861beb95296237e69b3f49abf2fdbefe9067a16957191b3f721cebb7a5
              • Opcode Fuzzy Hash: 9679a6bc2eb015a7cc0f030e7cd8a0885b52ee20e17825562b0800319facff9d
              • Instruction Fuzzy Hash: EA90022224544443D10475586508A06500597D1205F55D021A1065595DC7358951A231
              Function 01102D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 36c7e015217356c5cfe5b64f3738de4e8acae833bc7ffce00d284161325ef9a2
              • Instruction ID: 4d7fbd2b61014b47c020f5326d3fb0c5a9d228e24a8ab57affeee595efea0222
              • Opcode Fuzzy Hash: 36c7e015217356c5cfe5b64f3738de4e8acae833bc7ffce00d284161325ef9a2
              • Instruction Fuzzy Hash: 8D90022234140003D144715865186069005E7E2301F55D021E0415554CDB1589565322
              Function 01103D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49d1ca7000732afba8bb116fc7363c69f55132d1ec676e9e8da8ce1cf36ff0ba
              • Instruction ID: d39b0ae3ab75aec6a77046b35bcff3b0f27c41bf8becacb4bd7af50c9717c1df
              • Opcode Fuzzy Hash: 49d1ca7000732afba8bb116fc7363c69f55132d1ec676e9e8da8ce1cf36ff0ba
              • Instruction Fuzzy Hash: 2490023624140403D51471586904646504697D1301F55D421A0425558DC75489A1A221
              Function 01102DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e15ab511638d6faeeb164fbc3d1788ac82d6f20eb0e222b98b802bf06d11c3a3
              • Instruction ID: 787a4aed12bf7886bc9b8e06d57cbdc5523ab0a3adac16be8efa15ad27a44121
              • Opcode Fuzzy Hash: e15ab511638d6faeeb164fbc3d1788ac82d6f20eb0e222b98b802bf06d11c3a3
              • Instruction Fuzzy Hash: D990023228140403D145715855046065009A7D1241F95C022A0425554EC7558B56AB61
              Function 01102DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3da9618bc08cabd6d2e5eac18d1e773da2f57aa5b6f4fd2dfcabe849dffef6c1
              • Instruction ID: 07ec84986e349e873418cc0b275f2fe9209d884e2788ae7c54a8e750c7e0b0bb
              • Opcode Fuzzy Hash: 3da9618bc08cabd6d2e5eac18d1e773da2f57aa5b6f4fd2dfcabe849dffef6c1
              • Instruction Fuzzy Hash: D1900222282441535549B15855045079006A7E1241795C022A1415950CC7269956D721
              Function 01102C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 140ef87a71b8bd9cb3d6ea81f3ef33a29c003097398c5084fa9ca7dc17a50c8f
              • Instruction ID: 29aac188d4509ca1455d9230fb1b47e64c9571f2110d82886d50a520443d1671
              • Opcode Fuzzy Hash: 140ef87a71b8bd9cb3d6ea81f3ef33a29c003097398c5084fa9ca7dc17a50c8f
              • Instruction Fuzzy Hash: 4290023224140843D10471585504B46500597E1301F55C026A0125654DC715C9517621
              Function 01102CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9959d85da86b3ab5e2137638980e18e2b1c316c6ca18cc34ce2e95ec515c454
              • Instruction ID: caf486c23f7d10561983d9f01938330bd44fdbd48d637f37d166cc29bba03e3c
              • Opcode Fuzzy Hash: a9959d85da86b3ab5e2137638980e18e2b1c316c6ca18cc34ce2e95ec515c454
              • Instruction Fuzzy Hash: 7F90023224140403D10475986508646500597E1301F55D021A5025555EC76589916231
              Function 01102CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 411603b48dd9f13e37b6dfcc4f42456c3bbc9a3b015660145767c38dacf357c0
              • Instruction ID: 78b2b9eb1fa237f2233a76ef59166e54f4543b95492a79e5a7cdf39602d61080
              • Opcode Fuzzy Hash: 411603b48dd9f13e37b6dfcc4f42456c3bbc9a3b015660145767c38dacf357c0
              • Instruction Fuzzy Hash: 2490022264540403D14471586518706501597D1201F55D021A0025554DC7598B5567A1
              Function 01102CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34036a6a2e3dc16af5f10b3e1ba5fde9e43959072de65fc822bd6fae6735708
              • Instruction ID: 0030b9bab048ce429ce0b2db464ba6e72d8b04f5760cf4fb8c5a25ae1b3739fe
              • Opcode Fuzzy Hash: e34036a6a2e3dc16af5f10b3e1ba5fde9e43959072de65fc822bd6fae6735708
              • Instruction Fuzzy Hash: C890023224140403D10471586608707500597D1201F55D421A0425558DD75689516221
              Function 01102F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 143ea26a7016b28d0bdc6de41927e2a7a9df05cfa115d433f718bf90c54bfc7b
              • Instruction ID: 8962f7a60ce07900451f513ede7e8aee07e69f896d8f36c8150418bfca071ff4
              • Opcode Fuzzy Hash: 143ea26a7016b28d0bdc6de41927e2a7a9df05cfa115d433f718bf90c54bfc7b
              • Instruction Fuzzy Hash: 9B90026238140443D10471585514B065005D7E2301F55C025E1065554DC719CD526226
              Function 01102F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d02b82c094903734084a83522eb6cd27ac412df20db90b30235e37dbf3ef38c
              • Instruction ID: fe62917135f8277d9370e2283f53a642b8ca8257623bdac97aaefa987288aa54
              • Opcode Fuzzy Hash: 6d02b82c094903734084a83522eb6cd27ac412df20db90b30235e37dbf3ef38c
              • Instruction Fuzzy Hash: F590026225140043D10871585504706504597E2201F55C022A2155554CC7298D615225
              Function 01102F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1bbe75ac1d26b38237ee347b380b14c95d6ae1a7e2f65813a23d60f29fc8a72
              • Instruction ID: 13f29a008d4aff3de88beb20a29d6af7b8ac2b1267209e1b279975a7cb71e307
              • Opcode Fuzzy Hash: d1bbe75ac1d26b38237ee347b380b14c95d6ae1a7e2f65813a23d60f29fc8a72
              • Instruction Fuzzy Hash: 7390023224180403D1047158591470B500597D1302F55C021A1165555DC72589516671
              Function 01102FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c9ca84d1653219d67429ab37186532159a4aea1bcc6977a0e86228c676d782ee
              • Instruction ID: c7573c559733c18d0b9ef95b84433b5540a2029404fa9d9445845791482fefe0
              • Opcode Fuzzy Hash: c9ca84d1653219d67429ab37186532159a4aea1bcc6977a0e86228c676d782ee
              • Instruction Fuzzy Hash: 42900222641400434144716899449069005BBE2211755C131A0999550DC75989655765
              Function 01102FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77c118963d2624c084ae15b8ddab0dace5dda42368adcba20b4766eea79810f5
              • Instruction ID: 0abadae0f4569bb43f76ed64f639660d3f1e436cea46ca5ba693624b40bf1b03
              • Opcode Fuzzy Hash: 77c118963d2624c084ae15b8ddab0dace5dda42368adcba20b4766eea79810f5
              • Instruction Fuzzy Hash: D390023224180403D10471585908747500597D1302F55C021A5165555EC765C9916631
              Function 01102FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee1309f940c715a6792472719e8172cdfdab6eabba6b7d5c3241aef6d70dc973
              • Instruction ID: 1bcd6215ed89a47f4a9c973ee97d44075cf9abe8a4ec83358738595c0cacdc06
              • Opcode Fuzzy Hash: ee1309f940c715a6792472719e8172cdfdab6eabba6b7d5c3241aef6d70dc973
              • Instruction Fuzzy Hash: 3E900222251C0043D20475685D14B07500597D1303F55C125A0155554CCB1589615621
              Function 01102E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ccff097e4dc6e6e6f837f8bfdb6ea8e1451c23d1d0594d74debb15377342b065
              • Instruction ID: b558e018a7cac82cbb0d2a815f6ceca0e96e51e2a280bc2d74cf56e17785a3ff
              • Opcode Fuzzy Hash: ccff097e4dc6e6e6f837f8bfdb6ea8e1451c23d1d0594d74debb15377342b065
              • Instruction Fuzzy Hash: F290022234140403D106715855146065009D7D2345F95C022E1425555DC7258A53A232
              Function 01102E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ba55a1bb788a991ed6b0fad3871edd9e8e5f6b902f69c1397ce42d7affe2970
              • Instruction ID: 6f7163a2a037d34a09574f2cdab892ab8aa50b620f195be909f9db5538d1929b
              • Opcode Fuzzy Hash: 1ba55a1bb788a991ed6b0fad3871edd9e8e5f6b902f69c1397ce42d7affe2970
              • Instruction Fuzzy Hash: 8B90022264140503D10571585504616500A97D1241F95C032A1025555ECB258A92A231
              Function 01102EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96fa2e2cf2ec3f67bdb396eab522cdb9bebfa11cffcc1e19062e420e5ffc4a0d
              • Instruction ID: a2984a9d76550ab227d15d05a84e0b9cb3e1b4e89a737c2cafba31b589a276dc
              • Opcode Fuzzy Hash: 96fa2e2cf2ec3f67bdb396eab522cdb9bebfa11cffcc1e19062e420e5ffc4a0d
              • Instruction Fuzzy Hash: A290047334140403D144715C55047475005D7D1301F55C031F5075554FC75DCFD57775
              Function 01102EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e3126dfd2dfcab96e38fac551984f32555fdf4115e7ff6f8f9c23ab15d1845e4
              • Instruction ID: 135fc5a81e36f4d6afc4f03d69dfd01745a101aff359b5fb7dd1bc3f595d7a86
              • Opcode Fuzzy Hash: e3126dfd2dfcab96e38fac551984f32555fdf4115e7ff6f8f9c23ab15d1845e4
              • Instruction Fuzzy Hash: 8790026224180403D14475585904607500597D1302F55C021A2065555ECB298D516235
              Function 01102C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 1ba76a7c44a8124a06d03aa55a5ac600dc89aa48237e38d5e859caaf06bfd800
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 01102890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: f71855fdfa298b446ecaa21e8c46ac482417c84bead8a16931c6042eade4d19a
              • Instruction ID: fbf3b95a6427e36ca3ca0ef8e0a7a370e94793c7d415c7b8879e2a55fc7f33eb
              • Opcode Fuzzy Hash: f71855fdfa298b446ecaa21e8c46ac482417c84bead8a16931c6042eade4d19a
              • Instruction Fuzzy Hash: C351FBB5E00116BFCB1ADB5CC89497EFBF8BF48240714816AF595D7685E374DE4087A0
              Function 010F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 011346FC
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01134787
              • ExecuteOptions, xrefs: 011346A0
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01134725
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01134655
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01134742
              • Execute=1, xrefs: 01134713
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: f347a0758c9b40d87b30630c500b272e9fc4457a231cedf352f5856fb5028917
              • Instruction ID: 41b98b34a775e4e636076482a87e7652e30a7b191adbf4f7e6ec7e6845f1cf4c
              • Opcode Fuzzy Hash: f347a0758c9b40d87b30630c500b272e9fc4457a231cedf352f5856fb5028917
              • Instruction Fuzzy Hash: 22511931A0021A6AEF25EBA8DC86FED77A8EF58704F0400EDD745AB5D1E7709A41CF52
              Function 0110B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: eeabe8a47d1a83e4402f02411c66318af36769c037ee9d8236b48dcdc7247f79
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: 1781D378E092498EEF2FCE6CC8517FEBBB1AF45320F18455AD861A72D1C7B48940CB59
              Function 010FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 01137BAC
              • RTL: Resource at %p, xrefs: 01137B8E
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01137B7F
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 0f7667183aa106eef43bcba0a2c3947c948a736947cb3a18955e0a72eaaff01f
              • Instruction ID: 9004b9c06e85b2910b020b3a57ca4499e4b68828d51e58053dc660a52c80193c
              • Opcode Fuzzy Hash: 0f7667183aa106eef43bcba0a2c3947c948a736947cb3a18955e0a72eaaff01f
              • Instruction Fuzzy Hash: FF41D3357047029FD729DE29CC41B6AB7E5EF98710F100A1DEA9A9BA80DB71E4058F91
              Function 010FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0113728C
              Strings
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01137294
              • RTL: Re-Waiting, xrefs: 011372C1
              • RTL: Resource at %p, xrefs: 011372A3
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: d683c60ab89a6d41cd403946ab3c528e17b3d669f2cbd436b733cd7542ba3a63
              • Instruction ID: 76a9ff83bb737cb3d79a00de6cd3847aa750f2b22ef56ec07f8586dde39063bc
              • Opcode Fuzzy Hash: d683c60ab89a6d41cd403946ab3c528e17b3d669f2cbd436b733cd7542ba3a63
              • Instruction Fuzzy Hash: 4E410271700203ABD729DE29CC42F6AB7A5FF94714F10061DFA95AB680DB31F8428BD1
              Function 01107D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: 5f450c6c40fd46670a887fced3e3fc4d694720ccd108c48e57e4f820ce4c57a1
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: F791C570E002169BDF2EDF6DC8806BEBBA5BF44320F14451EE9A5A72C4D7B0AD408B52
              Function 010C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.1578864787.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_1090000_JPG_TTRN101921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-0.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 7ffbcaf9a608608ce6ede075e168668b08a469500af0d747710b9c1584d060f3
              • Instruction ID: fd367e354c0f1ce59b8e389373f3948d16b3c581cf0c5527d2a68e180d89bac1
              • Opcode Fuzzy Hash: 7ffbcaf9a608608ce6ede075e168668b08a469500af0d747710b9c1584d060f3
              • Instruction Fuzzy Hash: 06811C72D002699BDB35CB54CC45BEEBBB8AB48754F0041EAEA59B7240D7705E85CFA0

              Execution Graph

              Execution Coverage:10.7%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:1.4%
              Total number of Nodes:219
              Total number of Limit Nodes:19
              execution_graph 21069 a94668 21070 a9467a 21069->21070 21071 a94686 21070->21071 21073 a94779 21070->21073 21074 a9479d 21073->21074 21078 a94888 21074->21078 21082 a94878 21074->21082 21079 a948af 21078->21079 21080 a9498c 21079->21080 21086 a944b0 21079->21086 21080->21080 21084 a948af 21082->21084 21083 a9498c 21083->21083 21084->21083 21085 a944b0 CreateActCtxA 21084->21085 21085->21083 21087 a95918 CreateActCtxA 21086->21087 21089 a959db 21087->21089 21089->21089 21111 a9af78 21112 a9af87 21111->21112 21115 a9b061 21111->21115 21123 a9b070 21111->21123 21116 a9b081 21115->21116 21118 a9b0a4 21115->21118 21116->21118 21131 a9b2f9 21116->21131 21135 a9b308 21116->21135 21117 a9b09c 21117->21118 21119 a9b2a8 GetModuleHandleW 21117->21119 21118->21112 21120 a9b2d5 21119->21120 21120->21112 21124 a9b081 21123->21124 21125 a9b0a4 21123->21125 21124->21125 21129 a9b2f9 LoadLibraryExW 21124->21129 21130 a9b308 LoadLibraryExW 21124->21130 21125->21112 21126 a9b2a8 GetModuleHandleW 21128 a9b2d5 21126->21128 21127 a9b09c 21127->21125 21127->21126 21128->21112 21129->21127 21130->21127 21132 a9b31c 21131->21132 21133 a9b341 21132->21133 21139 a9aa88 21132->21139 21133->21117 21136 a9b31c 21135->21136 21137 a9b341 21136->21137 21138 a9aa88 LoadLibraryExW 21136->21138 21137->21117 21138->21137 21140 a9b4e8 LoadLibraryExW 21139->21140 21142 a9b561 21140->21142 21142->21133 21090 a9d300 21091 a9d346 21090->21091 21095 a9d4da 21091->21095 21098 a9d4e0 21091->21098 21092 a9d433 21096 a9d50e 21095->21096 21101 a9ce10 21095->21101 21096->21092 21099 a9ce10 DuplicateHandle 21098->21099 21100 a9d50e 21099->21100 21100->21092 21102 a9d548 DuplicateHandle 21101->21102 21103 a9d5de 21102->21103 21103->21096 21143 57c3d25 21144 57c3d2f 21143->21144 21145 57c3e08 21143->21145 21148 57c5888 21144->21148 21167 57c5883 21144->21167 21149 57c58a2 21148->21149 21155 57c58c6 21149->21155 21186 57c5f39 21149->21186 21190 57c623f 21149->21190 21197 57c5dbf 21149->21197 21202 57c5d02 21149->21202 21209 57c5e01 21149->21209 21219 57c5c87 21149->21219 21224 57c5ec6 21149->21224 21234 57c63e4 21149->21234 21241 57c5faa 21149->21241 21246 57c6168 21149->21246 21250 57c5eee 21149->21250 21257 57c606e 21149->21257 21264 57c5f72 21149->21264 21269 57c61f1 21149->21269 21274 57c629b 21149->21274 21279 57c5fdb 21149->21279 21155->21145 21168 57c58a2 21167->21168 21169 57c5dbf 2 API calls 21168->21169 21170 57c623f 4 API calls 21168->21170 21171 57c5f39 2 API calls 21168->21171 21172 57c5fdb 2 API calls 21168->21172 21173 57c629b 2 API calls 21168->21173 21174 57c58c6 21168->21174 21175 57c61f1 2 API calls 21168->21175 21176 57c5f72 2 API calls 21168->21176 21177 57c606e 4 API calls 21168->21177 21178 57c5eee 4 API calls 21168->21178 21179 57c6168 2 API calls 21168->21179 21180 57c5faa 2 API calls 21168->21180 21181 57c63e4 4 API calls 21168->21181 21182 57c5ec6 4 API calls 21168->21182 21183 57c5c87 2 API calls 21168->21183 21184 57c5e01 4 API calls 21168->21184 21185 57c5d02 4 API calls 21168->21185 21169->21174 21170->21174 21171->21174 21172->21174 21173->21174 21174->21145 21175->21174 21176->21174 21177->21174 21178->21174 21179->21174 21180->21174 21181->21174 21182->21174 21183->21174 21184->21174 21185->21174 21283 57c3028 21186->21283 21287 57c3020 21186->21287 21187 57c5f53 21191 57c5cf8 21190->21191 21192 57c5d0a 21191->21192 21291 57c6958 21191->21291 21296 57c694b 21191->21296 21301 57c35f8 21191->21301 21305 57c35f0 21191->21305 21192->21155 21198 57c5dd7 21197->21198 21199 57c5e94 21198->21199 21317 57c2f78 21198->21317 21321 57c2f71 21198->21321 21199->21155 21203 57c5cf8 21202->21203 21204 57c5d0a 21203->21204 21205 57c6958 2 API calls 21203->21205 21206 57c694b 2 API calls 21203->21206 21207 57c35f8 WriteProcessMemory 21203->21207 21208 57c35f0 WriteProcessMemory 21203->21208 21204->21155 21205->21203 21206->21203 21207->21203 21208->21203 21210 57c5e08 21209->21210 21217 57c35f8 WriteProcessMemory 21210->21217 21218 57c35f0 WriteProcessMemory 21210->21218 21211 57c5cf8 21212 57c5d0a 21211->21212 21213 57c35f8 WriteProcessMemory 21211->21213 21214 57c35f0 WriteProcessMemory 21211->21214 21215 57c6958 2 API calls 21211->21215 21216 57c694b 2 API calls 21211->21216 21212->21155 21213->21211 21214->21211 21215->21211 21216->21211 21217->21211 21218->21211 21220 57c5c8d 21219->21220 21325 57c3874 21220->21325 21329 57c3880 21220->21329 21225 57c5e05 21224->21225 21228 57c35f8 WriteProcessMemory 21225->21228 21229 57c35f0 WriteProcessMemory 21225->21229 21226 57c5cf8 21227 57c5d0a 21226->21227 21230 57c35f8 WriteProcessMemory 21226->21230 21231 57c35f0 WriteProcessMemory 21226->21231 21232 57c6958 2 API calls 21226->21232 21233 57c694b 2 API calls 21226->21233 21227->21155 21228->21226 21229->21226 21230->21226 21231->21226 21232->21226 21233->21226 21236 57c5cf8 21234->21236 21235 57c5d0a 21235->21155 21236->21235 21237 57c35f8 WriteProcessMemory 21236->21237 21238 57c35f0 WriteProcessMemory 21236->21238 21239 57c6958 2 API calls 21236->21239 21240 57c694b 2 API calls 21236->21240 21237->21236 21238->21236 21239->21236 21240->21236 21242 57c5fb0 21241->21242 21243 57c5e94 21242->21243 21244 57c2f78 ResumeThread 21242->21244 21245 57c2f71 ResumeThread 21242->21245 21243->21155 21244->21242 21245->21242 21333 57c6aa8 21246->21333 21338 57c6a99 21246->21338 21247 57c6180 21252 57c5cf8 21250->21252 21251 57c5d0a 21251->21155 21252->21251 21253 57c35f8 WriteProcessMemory 21252->21253 21254 57c35f0 WriteProcessMemory 21252->21254 21255 57c6958 2 API calls 21252->21255 21256 57c694b 2 API calls 21252->21256 21253->21252 21254->21252 21255->21252 21256->21252 21262 57c6958 2 API calls 21257->21262 21263 57c694b 2 API calls 21257->21263 21258 57c5cf8 21258->21257 21259 57c5d0a 21258->21259 21260 57c35f8 WriteProcessMemory 21258->21260 21261 57c35f0 WriteProcessMemory 21258->21261 21259->21155 21260->21258 21261->21258 21262->21258 21263->21258 21265 57c5f78 21264->21265 21343 57c36e8 21265->21343 21347 57c36e0 21265->21347 21266 57c6516 21270 57c5fc1 21269->21270 21271 57c5e94 21270->21271 21272 57c2f78 ResumeThread 21270->21272 21273 57c2f71 ResumeThread 21270->21273 21271->21155 21272->21270 21273->21270 21275 57c5f89 21274->21275 21277 57c36e8 ReadProcessMemory 21275->21277 21278 57c36e0 ReadProcessMemory 21275->21278 21276 57c6516 21277->21276 21278->21276 21281 57c35f8 WriteProcessMemory 21279->21281 21282 57c35f0 WriteProcessMemory 21279->21282 21280 57c5ee2 21280->21155 21281->21280 21282->21280 21284 57c306d Wow64SetThreadContext 21283->21284 21286 57c30b5 21284->21286 21286->21187 21288 57c306d Wow64SetThreadContext 21287->21288 21290 57c30b5 21288->21290 21290->21187 21292 57c696d 21291->21292 21309 57c3538 21292->21309 21313 57c3530 21292->21313 21293 57c698c 21293->21191 21297 57c696d 21296->21297 21299 57c3538 VirtualAllocEx 21297->21299 21300 57c3530 VirtualAllocEx 21297->21300 21298 57c698c 21298->21191 21299->21298 21300->21298 21302 57c3640 WriteProcessMemory 21301->21302 21304 57c3697 21302->21304 21304->21191 21306 57c3640 WriteProcessMemory 21305->21306 21308 57c3697 21306->21308 21308->21191 21310 57c3578 VirtualAllocEx 21309->21310 21312 57c35b5 21310->21312 21312->21293 21314 57c3578 VirtualAllocEx 21313->21314 21316 57c35b5 21314->21316 21316->21293 21318 57c2fb8 ResumeThread 21317->21318 21320 57c2fe9 21318->21320 21320->21198 21322 57c2fb8 ResumeThread 21321->21322 21324 57c2fe9 21322->21324 21324->21198 21326 57c3909 CreateProcessA 21325->21326 21328 57c3acb 21326->21328 21330 57c3909 CreateProcessA 21329->21330 21332 57c3acb 21330->21332 21334 57c6abd 21333->21334 21336 57c3028 Wow64SetThreadContext 21334->21336 21337 57c3020 Wow64SetThreadContext 21334->21337 21335 57c6ad3 21335->21247 21336->21335 21337->21335 21339 57c6abd 21338->21339 21341 57c3028 Wow64SetThreadContext 21339->21341 21342 57c3020 Wow64SetThreadContext 21339->21342 21340 57c6ad3 21340->21247 21341->21340 21342->21340 21344 57c3733 ReadProcessMemory 21343->21344 21346 57c3777 21344->21346 21346->21266 21348 57c36e5 ReadProcessMemory 21347->21348 21350 57c3777 21348->21350 21350->21266 21104 57c6af0 21105 57c6c7b 21104->21105 21107 57c6b16 21104->21107 21107->21105 21108 57c4b90 21107->21108 21109 57c6d70 PostMessageW 21108->21109 21110 57c6ddc 21109->21110 21110->21107

              Executed Functions

              Function 057C5DBF Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28a65deb5eef2213d578532a02953c7ce98c894535fafaa34130d5b3aae08c64
              • Instruction ID: 257d608d38a3708c9e8b96021c094582d6583ec8af4b2a685b91a4a507eed45c
              • Opcode Fuzzy Hash: 28a65deb5eef2213d578532a02953c7ce98c894535fafaa34130d5b3aae08c64
              • Instruction Fuzzy Hash: 5321DA79809218CFCF20CF54D4847E8BBB9EB49312F14A0EEC41EA7261D7345A89DF10
              Function 057C3874 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 317 57c3874-57c3915 319 57c394e-57c396e 317->319 320 57c3917-57c3921 317->320 327 57c39a7-57c39d6 319->327 328 57c3970-57c397a 319->328 320->319 321 57c3923-57c3925 320->321 322 57c3948-57c394b 321->322 323 57c3927-57c3931 321->323 322->319 325 57c3935-57c3944 323->325 326 57c3933 323->326 325->325 329 57c3946 325->329 326->325 334 57c3a0f-57c3ac9 CreateProcessA 327->334 335 57c39d8-57c39e2 327->335 328->327 330 57c397c-57c397e 328->330 329->322 332 57c3980-57c398a 330->332 333 57c39a1-57c39a4 330->333 336 57c398c 332->336 337 57c398e-57c399d 332->337 333->327 348 57c3acb-57c3ad1 334->348 349 57c3ad2-57c3b58 334->349 335->334 339 57c39e4-57c39e6 335->339 336->337 337->337 338 57c399f 337->338 338->333 340 57c39e8-57c39f2 339->340 341 57c3a09-57c3a0c 339->341 343 57c39f4 340->343 344 57c39f6-57c3a05 340->344 341->334 343->344 344->344 346 57c3a07 344->346 346->341 348->349 359 57c3b68-57c3b6c 349->359 360 57c3b5a-57c3b5e 349->360 362 57c3b7c-57c3b80 359->362 363 57c3b6e-57c3b72 359->363 360->359 361 57c3b60 360->361 361->359 365 57c3b90-57c3b94 362->365 366 57c3b82-57c3b86 362->366 363->362 364 57c3b74 363->364 364->362 367 57c3ba6-57c3bad 365->367 368 57c3b96-57c3b9c 365->368 366->365 369 57c3b88 366->369 370 57c3baf-57c3bbe 367->370 371 57c3bc4 367->371 368->367 369->365 370->371 373 57c3bc5 371->373 373->373
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057C3AB6
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 7f0dcf3c4f001ea5ec631901c1d57d2a94ecbca35312d1fe50a2cc64f9b5abea
              • Instruction ID: 90d836ae01eb14b110e16bc12caadfe121eafeb19fa9f8fc3d1d9b5abda12e65
              • Opcode Fuzzy Hash: 7f0dcf3c4f001ea5ec631901c1d57d2a94ecbca35312d1fe50a2cc64f9b5abea
              • Instruction Fuzzy Hash: AEA16871D007199FEB24CF68C845BEEBBB2BF48314F1485ADE809A7280DB749985DF91
              Function 057C3880 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 374 57c3880-57c3915 376 57c394e-57c396e 374->376 377 57c3917-57c3921 374->377 384 57c39a7-57c39d6 376->384 385 57c3970-57c397a 376->385 377->376 378 57c3923-57c3925 377->378 379 57c3948-57c394b 378->379 380 57c3927-57c3931 378->380 379->376 382 57c3935-57c3944 380->382 383 57c3933 380->383 382->382 386 57c3946 382->386 383->382 391 57c3a0f-57c3ac9 CreateProcessA 384->391 392 57c39d8-57c39e2 384->392 385->384 387 57c397c-57c397e 385->387 386->379 389 57c3980-57c398a 387->389 390 57c39a1-57c39a4 387->390 393 57c398c 389->393 394 57c398e-57c399d 389->394 390->384 405 57c3acb-57c3ad1 391->405 406 57c3ad2-57c3b58 391->406 392->391 396 57c39e4-57c39e6 392->396 393->394 394->394 395 57c399f 394->395 395->390 397 57c39e8-57c39f2 396->397 398 57c3a09-57c3a0c 396->398 400 57c39f4 397->400 401 57c39f6-57c3a05 397->401 398->391 400->401 401->401 403 57c3a07 401->403 403->398 405->406 416 57c3b68-57c3b6c 406->416 417 57c3b5a-57c3b5e 406->417 419 57c3b7c-57c3b80 416->419 420 57c3b6e-57c3b72 416->420 417->416 418 57c3b60 417->418 418->416 422 57c3b90-57c3b94 419->422 423 57c3b82-57c3b86 419->423 420->419 421 57c3b74 420->421 421->419 424 57c3ba6-57c3bad 422->424 425 57c3b96-57c3b9c 422->425 423->422 426 57c3b88 423->426 427 57c3baf-57c3bbe 424->427 428 57c3bc4 424->428 425->424 426->422 427->428 430 57c3bc5 428->430 430->430
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 057C3AB6
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 4bb6143778be64bd3c3da999acbc14ace20472ed6406d470f34b6023d82bacaf
              • Instruction ID: b3ecaef523060688a03d97dd240ba73aa020f109d3d2ca7716e94fc7515174ca
              • Opcode Fuzzy Hash: 4bb6143778be64bd3c3da999acbc14ace20472ed6406d470f34b6023d82bacaf
              • Instruction Fuzzy Hash: 70916971D007199FEB24CF68C845BEDBBB2BF48314F0485ADE809A7280DB759985DF91
              Function 00A9B070 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 431 a9b070-a9b07f 432 a9b0ab-a9b0af 431->432 433 a9b081-a9b08e call a9aa24 431->433 435 a9b0b1-a9b0bb 432->435 436 a9b0c3-a9b104 432->436 438 a9b090 433->438 439 a9b0a4 433->439 435->436 442 a9b111-a9b11f 436->442 443 a9b106-a9b10e 436->443 487 a9b096 call a9b2f9 438->487 488 a9b096 call a9b308 438->488 439->432 444 a9b121-a9b126 442->444 445 a9b143-a9b145 442->445 443->442 447 a9b128-a9b12f call a9aa30 444->447 448 a9b131 444->448 450 a9b148-a9b14f 445->450 446 a9b09c-a9b09e 446->439 449 a9b1e0-a9b2a0 446->449 454 a9b133-a9b141 447->454 448->454 482 a9b2a8-a9b2d3 GetModuleHandleW 449->482 483 a9b2a2-a9b2a5 449->483 452 a9b15c-a9b163 450->452 453 a9b151-a9b159 450->453 457 a9b170-a9b179 call a9aa40 452->457 458 a9b165-a9b16d 452->458 453->452 454->450 462 a9b17b-a9b183 457->462 463 a9b186-a9b18b 457->463 458->457 462->463 465 a9b1a9-a9b1b6 463->465 466 a9b18d-a9b194 463->466 472 a9b1d9-a9b1df 465->472 473 a9b1b8-a9b1d6 465->473 466->465 467 a9b196-a9b1a6 call a9aa50 call a9aa60 466->467 467->465 473->472 484 a9b2dc-a9b2f0 482->484 485 a9b2d5-a9b2db 482->485 483->482 485->484 487->446 488->446
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00A9B2C6
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 79bf75c8fa7b915bab2450f82c7883ad97e308e38481149433272fef40bed689
              • Instruction ID: 2b156a7229bc121561db85b91378a38d4aa7d015c727e24c492f5828334fd0b0
              • Opcode Fuzzy Hash: 79bf75c8fa7b915bab2450f82c7883ad97e308e38481149433272fef40bed689
              • Instruction Fuzzy Hash: A1715970A10B058FDB24DF2AE55575ABBF1FF88300F108A2ED44AD7A50D775E849CBA1
              Function 00A95A84 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 597 a95a84-a95b14
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42c42bcc86add738e3d5dc9c6ca37dda35c86c33f1b073a7eb0f3a066e4c9376
              • Instruction ID: 595e54850ee0d5b9d87e439b46a75ce0e134de7ff269f88db86113ff302d1916
              • Opcode Fuzzy Hash: 42c42bcc86add738e3d5dc9c6ca37dda35c86c33f1b073a7eb0f3a066e4c9376
              • Instruction Fuzzy Hash: AF419E71D05B59CFEF22CFB9C8467ADBBF0AF46324F24824AC405AB251C775A94ACB41
              Function 00A9590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 600 a9590d-a9598c 602 a9598f-a959d9 CreateActCtxA 600->602 604 a959db-a959e1 602->604 605 a959e2-a95a3c 602->605 604->605 612 a95a4b-a95a4f 605->612 613 a95a3e-a95a41 605->613 614 a95a51-a95a5d 612->614 615 a95a60 612->615 613->612 614->615 617 a95a61 615->617 617->617
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00A959C9
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 83c9270d3fe503abf7e1c847e63cb6ddf3dd10a4f5b4966221b937c6c9ddc0c9
              • Instruction ID: 1e272b5097aaf80730c58e66503f2635300b8ca70a37d87828010bcfbf4a9b7c
              • Opcode Fuzzy Hash: 83c9270d3fe503abf7e1c847e63cb6ddf3dd10a4f5b4966221b937c6c9ddc0c9
              • Instruction Fuzzy Hash: DD41EEB1D00B29CBEB24DFA9C885BCDBBF1BF48314F20816AD409AB251DB756946CF50
              Function 00A944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 618 a944b0-a959d9 CreateActCtxA 622 a959db-a959e1 618->622 623 a959e2-a95a3c 618->623 622->623 630 a95a4b-a95a4f 623->630 631 a95a3e-a95a41 623->631 632 a95a51-a95a5d 630->632 633 a95a60 630->633 631->630 632->633 635 a95a61 633->635 635->635
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00A959C9
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: e8551af091cb50026a999ef38f9ba0e8f09e89aac3ce945fca862e98b7c9dd30
              • Instruction ID: 1f092555689fafbd87b6c077678d1feef7ce4b813941ead28b8ddaf6fb7e6a44
              • Opcode Fuzzy Hash: e8551af091cb50026a999ef38f9ba0e8f09e89aac3ce945fca862e98b7c9dd30
              • Instruction Fuzzy Hash: 6341EF70D00B29CBEB25DFA9C885B8DBBF1BF48314F20816AD409AB251DB756946CF90
              Function 057C35F0 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 636 57c35f0-57c3646 638 57c3648-57c3654 636->638 639 57c3656-57c3695 WriteProcessMemory 636->639 638->639 641 57c369e-57c36ce 639->641 642 57c3697-57c369d 639->642 642->641
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 057C3688
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 4703f978edefcd9633318a5f6216ef5d20dae3559fb8867dd7f1c2288bab48d8
              • Instruction ID: bdded6ed9a6290a032cccf9cdab2e486217730613bc004a813132fa10bee2c86
              • Opcode Fuzzy Hash: 4703f978edefcd9633318a5f6216ef5d20dae3559fb8867dd7f1c2288bab48d8
              • Instruction Fuzzy Hash: 612120719003499FDB10DFAAC881BEEBBF1FB48310F10882EE919A7340D7799941DBA5
              Function 057C35F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 646 57c35f8-57c3646 648 57c3648-57c3654 646->648 649 57c3656-57c3695 WriteProcessMemory 646->649 648->649 651 57c369e-57c36ce 649->651 652 57c3697-57c369d 649->652 652->651
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 057C3688
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: e2b7633a822cc026d517dc79a1223c1b1fea85b4d6aefa0963c44121c45ef823
              • Instruction ID: 903ee6d889174d123f18282bf10faa5f12ba6c6a496ebe571f49beb402ec4829
              • Opcode Fuzzy Hash: e2b7633a822cc026d517dc79a1223c1b1fea85b4d6aefa0963c44121c45ef823
              • Instruction Fuzzy Hash: 252102719003499FDB10DFAAC885BEEBBF5FB48310F50882EE919A7240D7789941DBA5
              Function 00A9D540 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 656 a9d540-a9d546 657 a9d548-a9d5dc DuplicateHandle 656->657 658 a9d5de-a9d5e4 657->658 659 a9d5e5-a9d602 657->659 658->659
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A9D50E,?,?,?,?,?), ref: 00A9D5CF
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: e1e4a43a418b7f919ae024314080a5dd4d2ca534fd96c25b0657e3f029e2057b
              • Instruction ID: f8c4e2f587f3c17cf9cd3d0ec4158a4adace47639ec764128356abffb2be9b78
              • Opcode Fuzzy Hash: e1e4a43a418b7f919ae024314080a5dd4d2ca534fd96c25b0657e3f029e2057b
              • Instruction Fuzzy Hash: B52114B5D00309AFDB10CF9AD885BDEBBF4EB48324F14801AE918A3350C378A945CFA1
              Function 00A9CE10 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 662 a9ce10-a9d5dc DuplicateHandle 664 a9d5de-a9d5e4 662->664 665 a9d5e5-a9d602 662->665 664->665
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A9D50E,?,?,?,?,?), ref: 00A9D5CF
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 7f6d021a0d496a0810e982cf48e13e433e5bbe8ead712b798c4361b9cb2f328f
              • Instruction ID: ab2a1aff30ece1cf6cb6d39ec01f70630e41a099d80982d9e8104b969f17564e
              • Opcode Fuzzy Hash: 7f6d021a0d496a0810e982cf48e13e433e5bbe8ead712b798c4361b9cb2f328f
              • Instruction Fuzzy Hash: 6021E3B5D00248AFDB10CF9AD884AEEFFF4EB48314F14801AE918A7350D374A941CFA1
              Function 057C36E0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 678 57c36e0-57c3775 ReadProcessMemory 682 57c377e-57c37ae 678->682 683 57c3777-57c377d 678->683 683->682
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057C3768
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 2ac14d7949964d160d13d391a413b0fb72e04891deefa250441110851f2e7b54
              • Instruction ID: 7c5612583c7c662d546b6cc4473fbbff3e3c865390382c1353ce6938e2500481
              • Opcode Fuzzy Hash: 2ac14d7949964d160d13d391a413b0fb72e04891deefa250441110851f2e7b54
              • Instruction Fuzzy Hash: 7E21F4B1C003499FDB10DFAAC881BEEBBF1FB48310F50842EE919A7250C7399901DB60
              Function 057C3020 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 668 57c3020-57c3073 670 57c3075-57c3081 668->670 671 57c3083-57c30b3 Wow64SetThreadContext 668->671 670->671 673 57c30bc-57c30ec 671->673 674 57c30b5-57c30bb 671->674 674->673
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 057C30A6
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 7f90ee9d26874c3cc0049de63812d9344a27c3efde613b6ce1891ac7deae36e8
              • Instruction ID: b6ceee70a18ee20a9ae87b7d0e82e7b79e5c2cb187d83e9f3486a62ae8deef58
              • Opcode Fuzzy Hash: 7f90ee9d26874c3cc0049de63812d9344a27c3efde613b6ce1891ac7deae36e8
              • Instruction Fuzzy Hash: 9C213471D003098FDB10DFAAC4857AEBBF5EB88310F14842DD959A7240CB799945CBA1
              Function 057C36E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057C3768
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: cdd320b6608773018ecddd45ab8c91b4ef7f42fa23e82360e08da2b34d6e888a
              • Instruction ID: c0c73eb51b65c1b2557634d6dbc70ef994a0d9709c95e4e3881575c0f320926e
              • Opcode Fuzzy Hash: cdd320b6608773018ecddd45ab8c91b4ef7f42fa23e82360e08da2b34d6e888a
              • Instruction Fuzzy Hash: 5B21D2B1C003499FDB10DFAAC881BAEBBB5FB48310F50842AE919A7250C7799941DBA5
              Function 057C3028 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 057C30A6
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 7a385a5c180889f7d6b031e16970040aa17327cd58678b0a796a29c492267a76
              • Instruction ID: a5e196c909775e93df8d4314d6e005293ce08926f8eb32af0f7e31ef6380b4c4
              • Opcode Fuzzy Hash: 7a385a5c180889f7d6b031e16970040aa17327cd58678b0a796a29c492267a76
              • Instruction Fuzzy Hash: B5213771D003098FDB10DFAAC485BAEBBF5EB48314F54842DD959A7240CB789945CFA5
              Function 00A9AA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9B341,00000800,00000000,00000000), ref: 00A9B552
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 0f35b912b8245add5d9878fa16e95b331cbc7d754908bc7c40a571a997483b11
              • Instruction ID: b7928183853fe170fbf2556e8e59138dff181d2a70d45569c8f3937a2efef69b
              • Opcode Fuzzy Hash: 0f35b912b8245add5d9878fa16e95b331cbc7d754908bc7c40a571a997483b11
              • Instruction Fuzzy Hash: 601103B6D003499FDB20DF9AD544B9EFBF4EB48310F10842AD919A7240C775A945CFA5
              Function 00A9B4E1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9B341,00000800,00000000,00000000), ref: 00A9B552
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 40760663948842533021a809589aa362a6e8ad87cbde8cf10c41668c56fdd467
              • Instruction ID: 4f72e6eb4d101808c14b3f9101b5c56909026cacca47a4f7ef2d328fc220156c
              • Opcode Fuzzy Hash: 40760663948842533021a809589aa362a6e8ad87cbde8cf10c41668c56fdd467
              • Instruction Fuzzy Hash: CC1103B6D003499FDB20CF9AD544B9EFBF4AB48314F10842AD929A7340C775A945CFA1
              Function 057C3538 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057C35A6
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 5252b827f1a4c528905199457a0d6cd4e1d1065711058b4ae6ccc526a7ff47a9
              • Instruction ID: 632843d7d171fd513161b83079b6483a6cc04975b042ed3e8133e3a69fc3f20b
              • Opcode Fuzzy Hash: 5252b827f1a4c528905199457a0d6cd4e1d1065711058b4ae6ccc526a7ff47a9
              • Instruction Fuzzy Hash: 17114471C003499FDB20DFAAC845BEEBFF5EB48320F108819E915A7250CB359900CFA0
              Function 057C3530 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 057C35A6
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 374233316bfe0facb69b5ae5d70257df3fe0e4a81c8e6936b18c0eaeacda5658
              • Instruction ID: e51748b4a3dfda55bff402a0248b9db1226eb61312ce83ddb99c33117065c6c6
              • Opcode Fuzzy Hash: 374233316bfe0facb69b5ae5d70257df3fe0e4a81c8e6936b18c0eaeacda5658
              • Instruction Fuzzy Hash: 61114476D003498FDB14DFA9D8417EEBBF1AB48310F14881DD915A7250CB359905CF94
              Function 057C2F71 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: e7318d5ce708a316d8c962f6d60cd7e0fb17e327d2210314643c6bc810809996
              • Instruction ID: 4b3f50d043a1d09254a9201c4b693778b899a4da04c6ca883b296477abbd4fba
              • Opcode Fuzzy Hash: e7318d5ce708a316d8c962f6d60cd7e0fb17e327d2210314643c6bc810809996
              • Instruction Fuzzy Hash: E31146B1D003498FDB20DFAAC445B9EBBF5EB48324F14842DD559A7350CB35A941CF95
              Function 00A9B259 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00A9B2C6
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 12835fabc9e336566c97277f666d0339703a84c36cd4e04be352dce33a003e7e
              • Instruction ID: 027a80fd87bd4bdb6495f510f7e8985e637c6e72f4b85b34b464c1fe6d06dd63
              • Opcode Fuzzy Hash: 12835fabc9e336566c97277f666d0339703a84c36cd4e04be352dce33a003e7e
              • Instruction Fuzzy Hash: 9111EFB5D002498ADB10DF9AD544BDEBBF4EB88324F10842AD829B7650C375A545CFA1
              Function 057C2F78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 890822d51d3c4de6b6e8f4dec6aef798868291aa37c51204496c7bef6e5a75b7
              • Instruction ID: 5f9fecc8ef642f36fbd1b2f6478470f03e36e939f05b0e3ea2f6c3faab7c05ac
              • Opcode Fuzzy Hash: 890822d51d3c4de6b6e8f4dec6aef798868291aa37c51204496c7bef6e5a75b7
              • Instruction Fuzzy Hash: 4D1158B1C003498FDB20DFAAC44579EFBF4EB48320F10841DD519A7240CB35A941CB95
              Function 00A9B260 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00A9B2C6
              Memory Dump Source
              • Source File: 00000012.00000002.1465852391.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_a90000_nCPTBp.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: f6f91b4fed311fa388a02a6724744fa7460dc3d2402dc2ddca8c97d2ae260295
              • Instruction ID: 5ebad3096093ddd5305969f6bca38e5e711553aab9207e6229f24c2024361ede
              • Opcode Fuzzy Hash: f6f91b4fed311fa388a02a6724744fa7460dc3d2402dc2ddca8c97d2ae260295
              • Instruction Fuzzy Hash: EF11DFB5D003498FDB20DF9AD544BDEFBF4EB88324F10852AD829A7650C379A545CFA1
              Function 057C4B90 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 057C6DCD
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 0df124e351fcfe3d9ba57e70e68d88686852288210e34bb110aa6ffb17bce7cf
              • Instruction ID: 2f410b5a1a9f5ef011e61e1cafe4d0e8b1332f13ad9c5a1a4d3cb950ed57e400
              • Opcode Fuzzy Hash: 0df124e351fcfe3d9ba57e70e68d88686852288210e34bb110aa6ffb17bce7cf
              • Instruction Fuzzy Hash: 3D11E0B58003599FDB20DF9AD885BEEBBF8EB48320F108459E919A7240C375A944CFA5
              Function 057C6D68 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 057C6DCD
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 58d0462f18362618c2e1fe1a6505443bd591cf91364fe5c17ed4163713e47b1a
              • Instruction ID: 88c8b0e69695b3142dec70354fe33377d1262a99f868e503fd2f6cbd948f083e
              • Opcode Fuzzy Hash: 58d0462f18362618c2e1fe1a6505443bd591cf91364fe5c17ed4163713e47b1a
              • Instruction Fuzzy Hash: D411E0B58003599FDB20DF9AD485BDEBBF8EB48324F108459E918A7350C379A944CFA1
              Function 008ED4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.1427569030.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_8ed000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1da9be76e817055d6c51746cc1c4f381683f63746e2b5c3bf586a767c49815fa
              • Instruction ID: 45c29460cf69d50e7c3a70fda29a5488e7496ca0f6b2afe0f056c7aee1e08f7e
              • Opcode Fuzzy Hash: 1da9be76e817055d6c51746cc1c4f381683f63746e2b5c3bf586a767c49815fa
              • Instruction Fuzzy Hash: 23212572504384DFDB15DF14D9C0B26BF65FB98328F20C569E8098F256C336D85ACBA2
              Function 008FD01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.1433919475.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_8fd000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b05b81340fdf1c26fd48ef7a18c01a7b9a26bfbb8f1dd973e1b1a3add9f56b3a
              • Instruction ID: 4947ff4dbeafe256f53cd4444ebd53f67db579e154d90488adcb1eea2410aef3
              • Opcode Fuzzy Hash: b05b81340fdf1c26fd48ef7a18c01a7b9a26bfbb8f1dd973e1b1a3add9f56b3a
              • Instruction Fuzzy Hash: 4521D375604708DFDB14DF24D984B26BB66FBC4314F20C569DA498B386CB36D847CA62
              Function 008FD1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.1433919475.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_8fd000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ba35e8219cca218dd31abd7e413df76ba2078a31e0f34244c5bf3a3a237b37b
              • Instruction ID: 461ce762a010a3a9aed9c28d82a2dae2456f625a725813bf3b9f27c0decc8a39
              • Opcode Fuzzy Hash: 1ba35e8219cca218dd31abd7e413df76ba2078a31e0f34244c5bf3a3a237b37b
              • Instruction Fuzzy Hash: C621F571604308DFDB15DF20D9C4B26BB66FB84314F20C56DDA498B296C336E846CAA1
              Function 008ED4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.1427569030.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_8ed000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
              • Instruction ID: 0f86ac9f626fb2ed12bb0ca7b6baf2f158e4cb30060cbb8552c40f6b0c96a37b
              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
              • Instruction Fuzzy Hash: 1111D376504380CFCB15CF14D9C4B16BF72FB94324F24C6A9D8494B656C336D85ACBA1
              Function 008FD1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.1433919475.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_8fd000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
              • Instruction ID: 25aa3e647b9e62200650b8dc8b8e76cfabe48cce0311b4dbab8e63ed7bfe23af
              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
              • Instruction Fuzzy Hash: 8111BE75504244DFCB05CF20C5C0B25BB62FB84314F24C6AEDA498B296C33AE80ACB91
              Function 008FD017 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.1433919475.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_8fd000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
              • Instruction ID: 7328793923fb0339248e18fe16a66e3be34c704dcfa164db47422d6d128b05ba
              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
              • Instruction Fuzzy Hash: 7A11BE75504784CFCB15CF24D5C4B25FB62FB84314F24C6A9DA498B656C33AD80BCB61

              Non-executed Functions

              Function 057C5E90 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.1547160406.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_57c0000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 661a73192abe7e1e35471eb4fce775ef4d14a5f4993a31bdf804dc9ae67a7a88
              • Instruction ID: b65dfdace42b3bf26165561f4e95b58debd4c909f590e116d620860cd6f712dc
              • Opcode Fuzzy Hash: 661a73192abe7e1e35471eb4fce775ef4d14a5f4993a31bdf804dc9ae67a7a88
              • Instruction Fuzzy Hash: 7FE0ED79909218CFCB00DF94E8441E8BB79EB5A312F0160DAD51AA7212D3304A449B00

              Execution Graph

              Execution Coverage:0%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:3
              Total number of Limit Nodes:0
              execution_graph 62439 13b2c1d 62440 13b2c1f LdrInitializeThunk 62439->62440 62443 13b2b60 LdrInitializeThunk

              Executed Functions

              Function 013B2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 13b2c0a-13b2c0f 1 13b2c1f-13b2c26 LdrInitializeThunk 0->1 2 13b2c11-13b2c18 0->2 2->1
              APIs
              • LdrInitializeThunk.NTDLL(013CFD4F,000000FF,00000024,01466634,00000004,00000000,?,-00000018,7D810F61,?,?,01388B12,?,?,?,?), ref: 013B2C24
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 65eb919700ebd7a350826e85e1a60ee0b81968b559703f520ba1695805f2cca9
              • Instruction ID: 7b22a02fb7504e63faa2470848112290d96038e88fbea65ee8ed2343b8c08078
              • Opcode Fuzzy Hash: 65eb919700ebd7a350826e85e1a60ee0b81968b559703f520ba1695805f2cca9
              • Instruction Fuzzy Hash: B1B09B759015C5C5EE11E76846087177A0077D0705F15C165D3030681F4739D5D5E375
              Function 013B2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 4 13b2b60-13b2b6c LdrInitializeThunk
              APIs
              • LdrInitializeThunk.NTDLL(013E0DBD,?,?,?,?,013D4302), ref: 013B2B6A
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 26e49b0a9a87d22e2df00bb9b9871440d3757e9888326bf7ea195d5bbed89d31
              • Instruction ID: 24f5c1b2b0b6667cf0b1c7bbc53ad9c7c49d271ee0a0301adc66a190c8090bc9
              • Opcode Fuzzy Hash: 26e49b0a9a87d22e2df00bb9b9871440d3757e9888326bf7ea195d5bbed89d31
              • Instruction Fuzzy Hash: 29900269202400039105715D4414616500A97E0605B55C065E1014590DC5268E956325
              Function 013B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 8 13b2df0-13b2dfc LdrInitializeThunk
              APIs
              • LdrInitializeThunk.NTDLL(013EE73E,0000005A,0144D040,00000020,00000000,0144D040,00000080,013D4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,013BAE00), ref: 013B2DFA
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: bdba0528ac29291573cf50c66863e2ac5ffe0836c2d8c319ed6e2f1a1ea09fce
              • Instruction ID: 0a9d9599082e395acb0acdccd170595c233508cc421f6c75562e10b886cab7e4
              • Opcode Fuzzy Hash: bdba0528ac29291573cf50c66863e2ac5ffe0836c2d8c319ed6e2f1a1ea09fce
              • Instruction Fuzzy Hash: 6690023920140413E111715D4504707100997D0645F95C456A0424558DD6578F56A321
              Function 013B2C1D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5 13b2c1d-13b2c26 LdrInitializeThunk
              APIs
              • LdrInitializeThunk.NTDLL(013CFD4F,000000FF,00000024,01466634,00000004,00000000,?,-00000018,7D810F61,?,?,01388B12,?,?,?,?), ref: 013B2C24
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 8cb2527d94253db5cd9b5bfaa8213a3f888745ffe6ae56bd892073db3b38de15
              • Instruction ID: 28d43aa28d752c5ec9222425c01e49bb70c941cb901a5745ebb9f132c92414ba
              • Opcode Fuzzy Hash: 8cb2527d94253db5cd9b5bfaa8213a3f888745ffe6ae56bd892073db3b38de15
              • Instruction Fuzzy Hash:
              Function 013B2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 7 13b2c70-13b2c7c LdrInitializeThunk
              APIs
              • LdrInitializeThunk.NTDLL(0136FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,013C7BE5,00001000,00004000,000000FF,?,00000000), ref: 013B2C7A
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 8e77f248ca40d3c2813f1be3811b42429125f66345a15ceb3428d5aec6f80ed9
              • Instruction ID: a215ce42b52f6f7fda3644b3edf11c614021cae9dacceb147cb1695b54f53bcb
              • Opcode Fuzzy Hash: 8e77f248ca40d3c2813f1be3811b42429125f66345a15ceb3428d5aec6f80ed9
              • Instruction Fuzzy Hash: 9F90023920148802E110715D840474A100597D0705F59C455A4424658DC6968E957321
              Function 013B35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 9 13b35c0-13b35cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: a76480cf83662281b35004bad0891b8410d6648b46b27e3f14e7f9dbfc806183
              • Instruction ID: d7e46b671a9fa026a178a55e31ca0474174b4e058add7ca97cd080345d9cac4d
              • Opcode Fuzzy Hash: a76480cf83662281b35004bad0891b8410d6648b46b27e3f14e7f9dbfc806183
              • Instruction Fuzzy Hash: 9590023960550402E100715D4514706200597D0605F65C455A0424568DC7968F5567A2
              Function 0042DD5D Relevance: .0, Instructions: 48COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 10 42dd5d-42dd7a 12 42dd89-42dd90 10->12 13 42dd9f-42dda4 12->13 14 42dda6-42ddaf 13->14 15 42ddfe-42de03 13->15 16 42ddbe-42ddc3 14->16 17 42ddd6-42ddf5 16->17 18 42ddc5-42ddd3 16->18 21 42ddfb 17->21 18->17 21->15
              Memory Dump Source
              • Source File: 00000016.00000002.1719604493.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_42d000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4849abdad13e5ec9331979f80db4aba7f59e096d841adad5e3edc67e916cd732
              • Instruction ID: aea46bc67a38cc0501abb5bd056dfc2009d678ea9b024d492faa6a6cdcb7058a
              • Opcode Fuzzy Hash: 4849abdad13e5ec9331979f80db4aba7f59e096d841adad5e3edc67e916cd732
              • Instruction Fuzzy Hash: A801F9B5D0061866FF60EB919C46FEEB3B8AB44305F5402CEA50CE2181EB747A888A65
              Function 0042DD63 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 22 42dd63-42dda4 25 42dda6-42ddc3 22->25 26 42ddfe-42de03 22->26 28 42ddd6-42ddf5 25->28 29 42ddc5-42ddd3 25->29 32 42ddfb 28->32 29->28 32->26
              Memory Dump Source
              • Source File: 00000016.00000002.1719604493.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_42d000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77cbd82c4dd18dac001034c8b22122d956c2545b5b4393d51210e1163def16b7
              • Instruction ID: 953732343a7677c0117d4b71731604ee0a38298bea5cda0ca78342005110dd90
              • Opcode Fuzzy Hash: 77cbd82c4dd18dac001034c8b22122d956c2545b5b4393d51210e1163def16b7
              • Instruction Fuzzy Hash: 4D01D8B5D0062866FF60EB919C42FEEB3B8AB04305F5402DEA50CE2181FF7477888A65

              Non-executed Functions

              Function 013B4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 33 13b4a80-13b4a8b 34 13b4a9f-13b4aa6 33->34 35 13b4a8d-13b4a99 RtlDebugPrintTimes 33->35 36 13b4aa8-13b4aae 34->36 37 13b4aaf-13b4ab6 call 139f5a0 34->37 35->34 40 13b4b25-13b4b26 35->40 42 13b4ab8-13b4b22 call 13a1e46 * 2 37->42 43 13b4b23 37->43 42->43 43->40
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: 0Ivw$0Ivw$0Ivw$0Ivw$0Ivw$0Ivw
              • API String ID: 3446177414-4119021165
              • Opcode ID: 4f4d20a9f4c07fd06f6023cf672993c3ed4b321c1ba70e81c553d5d0a0adb9f4
              • Instruction ID: 074ff9ab157194c0c15fac05ed1b280fc6f1ea3bfebd8c86bdcff4b0d77ddb58
              • Opcode Fuzzy Hash: 4f4d20a9f4c07fd06f6023cf672993c3ed4b321c1ba70e81c553d5d0a0adb9f4
              • Instruction Fuzzy Hash: 820192B2E05110AFE7209A2CF9447C63B95B78572CF15005AEA088B2B5E7F04841D396
              Function 013B2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 244 13b2890-13b28b3 245 13ea4bc-13ea4c0 244->245 246 13b28b9-13b28cc 244->246 245->246 247 13ea4c6-13ea4ca 245->247 248 13b28ce-13b28d7 246->248 249 13b28dd-13b28df 246->249 247->246 252 13ea4d0-13ea4d4 247->252 248->249 250 13ea57e-13ea585 248->250 251 13b28e1-13b28e5 249->251 250->249 253 13b28eb-13b28fa 251->253 254 13b2988-13b298e 251->254 252->246 255 13ea4da-13ea4de 252->255 256 13ea58a-13ea58d 253->256 257 13b2900-13b2905 253->257 258 13b2908-13b290c 254->258 255->246 259 13ea4e4-13ea4eb 255->259 256->258 257->258 258->251 260 13b290e-13b291b 258->260 261 13ea4ed-13ea4f4 259->261 262 13ea564-13ea56c 259->262 263 13b2921 260->263 264 13ea592-13ea599 260->264 266 13ea50b 261->266 267 13ea4f6-13ea4fe 261->267 262->246 265 13ea572-13ea576 262->265 270 13b2924-13b2926 263->270 272 13ea5a1-13ea5c9 call 13c0050 264->272 265->246 271 13ea57c call 13c0050 265->271 269 13ea510-13ea536 call 13c0050 266->269 267->246 268 13ea504-13ea509 267->268 268->269 284 13ea55d-13ea55f 269->284 274 13b2928-13b292a 270->274 275 13b2993-13b2995 270->275 271->284 281 13b292c-13b292e 274->281 282 13b2946-13b2966 call 13c0050 274->282 275->274 279 13b2997-13b29b1 call 13c0050 275->279 293 13b2969-13b2974 279->293 281->282 287 13b2930-13b2944 call 13c0050 281->287 282->293 290 13b2981-13b2985 284->290 287->282 293->270 295 13b2976-13b2979 293->295 295->272 296 13b297f 295->296 296->290
              APIs
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID:
              • API String ID: 48624451-0
              • Opcode ID: 4e35387fa978fd96ca4166a3c78cd4c19d84acd3dabbaf85bf1e283b9ad30827
              • Instruction ID: ef8234b562f9e76432e4097d15945faa92636b6e122c0a4df3f0652571616745
              • Opcode Fuzzy Hash: 4e35387fa978fd96ca4166a3c78cd4c19d84acd3dabbaf85bf1e283b9ad30827
              • Instruction Fuzzy Hash: C251EEB5A00156BFCB11DB9C88D45BFFBF8BB482487148229F5A9D7A41E334EE5087D0
              Function 0138A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 297 138a250-138a26f 298 138a58d-138a594 297->298 299 138a275-138a291 297->299 298->299 302 138a59a-13d79bb 298->302 300 13d79e6-13d79eb 299->300 301 138a297-138a2a0 299->301 301->300 304 138a2a6-138a2ac 301->304 302->299 307 13d79c1-13d79c6 302->307 305 138a6ba-138a6bc 304->305 306 138a2b2-138a2b4 304->306 308 138a2ba-138a2bd 305->308 309 138a6c2 305->309 306->300 306->308 310 138a473-138a479 307->310 308->300 311 138a2c3-138a2c6 308->311 309->311 312 138a2c8-138a2d1 311->312 313 138a2da-138a2dd 311->313 314 13d79cb-13d79d5 312->314 315 138a2d7 312->315 316 138a2e3-138a32b 313->316 317 138a6c7-138a6d0 313->317 320 13d79da-13d79e3 call 13ff290 314->320 315->313 318 138a330-138a335 316->318 317->316 319 138a6d6-13d79ff 317->319 322 138a33b-138a343 318->322 323 138a47c-138a47f 318->323 319->320 320->300 326 138a34f-138a35d 322->326 327 138a345-138a349 322->327 323->326 328 138a485-138a488 323->328 330 138a48e-138a49e 326->330 331 138a363-138a368 326->331 327->326 329 138a59f-138a5a8 327->329 328->330 332 13d7a16-13d7a19 328->332 333 138a5aa-138a5ac 329->333 334 138a5c0-138a5c3 329->334 330->332 337 138a4a4-138a4ad 330->337 335 138a36c-138a36e 331->335 332->335 336 13d7a1f-13d7a24 332->336 333->326 338 138a5b2-138a5bb 333->338 339 138a5c9-138a5cc 334->339 340 13d7a01 334->340 341 13d7a26 335->341 342 138a374-138a38c call 138a6e0 335->342 343 13d7a2b 336->343 337->335 338->335 344 13d7a0c 339->344 345 138a5d2-138a5d5 339->345 340->344 341->343 350 138a4b2-138a4b9 342->350 351 138a392-138a3ba 342->351 347 13d7a2d-13d7a2f 343->347 344->332 345->333 347->310 349 13d7a35 347->349 352 138a3bc-138a3be 350->352 353 138a4bf-138a4c2 350->353 351->352 352->347 354 138a3c4-138a3cb 352->354 353->352 355 138a4c8-138a4d3 353->355 356 138a3d1-138a3d4 354->356 357 13d7ae0 354->357 355->318 359 138a3e0-138a3ea 356->359 358 13d7ae4-13d7afc call 13ff290 357->358 358->310 359->358 361 138a3f0-138a40c call 138a840 359->361 365 138a412-138a417 361->365 366 138a5d7-138a5e0 361->366 365->310 367 138a419-138a43d 365->367 368 138a601-138a603 366->368 369 138a5e2-138a5eb 366->369 370 138a440-138a443 367->370 372 138a629-138a631 368->372 373 138a605-138a623 call 1374508 368->373 369->368 371 138a5ed-138a5f1 369->371 374 138a4d8-138a4dc 370->374 375 138a449-138a44c 370->375 376 138a681-138a6ab RtlDebugPrintTimes 371->376 377 138a5f7-138a5fb 371->377 373->310 373->372 379 13d7a3a-13d7a42 374->379 380 138a4e2-138a4e5 374->380 381 138a452-138a454 375->381 382 13d7ad6 375->382 376->368 394 138a6b1-138a6b5 376->394 377->368 377->376 385 138a634-138a64a 379->385 389 13d7a48-13d7a4c 379->389 384 138a4eb-138a4ee 380->384 380->385 387 138a45a-138a461 381->387 388 138a520-138a539 call 138a6e0 381->388 382->357 384->375 391 138a4f4-138a50c 384->391 390 138a650-138a659 385->390 385->391 395 138a57b-138a582 387->395 396 138a467-138a46c 387->396 406 138a65e-138a665 388->406 407 138a53f-138a567 388->407 389->385 392 13d7a52-13d7a5b 389->392 390->381 391->375 399 138a512-138a51b 391->399 397 13d7a5d-13d7a60 392->397 398 13d7a85-13d7a87 392->398 394->368 395->359 402 138a588 395->402 396->310 401 138a46e 396->401 403 13d7a6e-13d7a71 397->403 404 13d7a62-13d7a6c 397->404 398->385 405 13d7a8d-13d7a96 398->405 399->381 401->310 402->357 411 13d7a7e 403->411 412 13d7a73-13d7a7c 403->412 410 13d7a81 404->410 405->381 408 138a569-138a56b 406->408 409 138a66b-138a66e 406->409 407->408 408->396 414 138a571-138a573 408->414 409->408 413 138a674-138a67c 409->413 410->398 411->410 412->405 413->370 415 138a579 414->415 416 13d7a9b-13d7aa4 414->416 415->395 416->415 417 13d7aaa-13d7ab0 416->417 417->415 418 13d7ab6-13d7abe 417->418 418->415 419 13d7ac4-13d7acf 418->419 419->418 420 13d7ad1 419->420 420->415
              Strings
              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013D79D5
              • RtlpFindActivationContextSection_CheckParameters, xrefs: 013D79D0, 013D79F5
              • SsHd, xrefs: 0138A3E4
              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013D79FA
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
              • API String ID: 0-929470617
              • Opcode ID: 08d2541e079b781053d5c665b3efb7ec8dc80145bb78ab3c8a8949a5b0f55bb7
              • Instruction ID: 2739278b08675d3aa65d43198c4fb1ce8540108a10630c2b4c2e1a518e697f5a
              • Opcode Fuzzy Hash: 08d2541e079b781053d5c665b3efb7ec8dc80145bb78ab3c8a8949a5b0f55bb7
              • Instruction Fuzzy Hash: 63E1E5716043058FEB25DF2CC484B2ABBE5BB8422CF144A2EE995CB391D771D985CB52
              Function 0138D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 421 138d770-138d7ab 422 138d7b1-138d7bb 421->422 423 138d9e7-138d9ee 421->423 425 138d7c1-138d7ca 422->425 426 13d9357 422->426 423->422 424 138d9f4-13d932c 423->424 424->422 432 13d9332-13d9337 424->432 425->426 428 138d7d0-138d7d3 425->428 429 13d9361-13d9370 426->429 430 138d7d9-138d7db 428->430 431 138d9da-138d9dc 428->431 435 13d934b-13d9354 call 13ff290 429->435 430->426 433 138d7e1-138d7e4 430->433 431->433 434 138d9e2 431->434 436 138d927-138d938 call 13b4c30 432->436 433->426 437 138d7ea-138d7ed 433->437 434->437 435->426 442 138d9f9-138da02 437->442 443 138d7f3-138d7f6 437->443 442->443 444 138da08-13d9346 442->444 445 138d7fc-138d848 call 138d660 443->445 446 138da0d-138da16 443->446 444->435 445->436 451 138d84e-138d852 445->451 446->445 448 138da1c 446->448 448->429 451->436 452 138d858-138d85f 451->452 453 138d9d1-138d9d5 452->453 454 138d865-138d869 452->454 455 13d9563-13d957b call 13ff290 453->455 456 138d870-138d87a 454->456 455->436 456->455 457 138d880-138d887 456->457 459 138d889-138d88d 457->459 460 138d8ed-138d90d 457->460 462 138d893-138d898 459->462 463 13d9372 459->463 464 138d910-138d913 460->464 465 13d9379-13d937b 462->465 466 138d89e-138d8a5 462->466 463->465 467 138d93b-138d940 464->467 468 138d915-138d918 464->468 465->466 473 13d9381-13d93aa 465->473 474 138d8ab-138d8e3 call 13b8250 466->474 475 13d93ea-13d93ed 466->475 471 13d94d3-13d94db 467->471 472 138d946-138d949 467->472 469 13d9559-13d955e 468->469 470 138d91e-138d920 468->470 469->436 476 138d971-138d98c call 138a6e0 470->476 477 138d922 470->477 478 138da21-138da2f 471->478 479 13d94e1-13d94e5 471->479 472->478 480 138d94f-138d952 472->480 473->460 481 13d93b0-13d93ca call 13c82c0 473->481 497 138d8e5-138d8e7 474->497 483 13d93f1-13d9400 call 13c82c0 475->483 503 13d9528-13d952d 476->503 504 138d992-138d9ba 476->504 477->436 485 138d954-138d964 478->485 487 138da35-138da3e 478->487 479->478 484 13d94eb-13d94f4 479->484 480->468 480->485 481->497 502 13d93d0-13d93e3 481->502 498 13d9417 483->498 499 13d9402-13d9410 483->499 492 13d94f6-13d94f9 484->492 493 13d9512-13d9514 484->493 485->468 494 138d966-138d96f 485->494 487->470 500 13d94fb-13d9501 492->500 501 13d9503-13d9506 492->501 493->478 506 13d951a-13d9523 493->506 494->470 497->460 505 13d9420-13d9424 497->505 498->505 499->483 509 13d9412 499->509 500->493 511 13d950f 501->511 512 13d9508-13d950d 501->512 502->481 513 13d93e5 502->513 507 138d9bc-138d9be 503->507 508 13d9533-13d9536 503->508 504->507 505->460 510 13d942a-13d9430 505->510 506->470 517 13d9549-13d954e 507->517 518 138d9c4-138d9cb 507->518 508->507 514 13d953c-13d9544 508->514 509->460 515 13d9457-13d9460 510->515 516 13d9432-13d944f 510->516 511->493 512->506 513->460 514->464 521 13d94a7-13d94a9 515->521 522 13d9462-13d9467 515->522 516->515 520 13d9451-13d9454 516->520 517->436 519 13d9554 517->519 518->453 518->456 519->469 520->515 523 13d94cc-13d94ce 521->523 524 13d94ab-13d94c6 call 1374508 521->524 522->521 525 13d9469-13d946d 522->525 523->436 524->436 524->523 527 13d946f-13d9473 525->527 528 13d9475-13d94a1 RtlDebugPrintTimes 525->528 527->521 527->528 528->521 531 13d94a3 528->531 531->521
              APIs
              Strings
              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013D9346
              • RtlpFindActivationContextSection_CheckParameters, xrefs: 013D9341, 013D9366
              • GsHd, xrefs: 0138D874
              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013D936B
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
              • API String ID: 3446177414-576511823
              • Opcode ID: 2ab5c4559b3a014282a67aa8c533a5ade91b985ce26758f562bab46eae4e0c50
              • Instruction ID: ce45d29b827fae95ba03a52010211dbdfd7f08bc10ac2db10311be57f40b6c6f
              • Opcode Fuzzy Hash: 2ab5c4559b3a014282a67aa8c533a5ade91b985ce26758f562bab46eae4e0c50
              • Instruction Fuzzy Hash: 55E1B271604346DFDB20DF68C480B6ABBF5BF8831CF044A6DE9959B281D771E944CB92
              Function 013BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 532 13bb5ec-13bb5fc 533 13bb5fe 532->533 534 13bb600-13bb602 532->534 533->534 535 13bb608-13bb60d 534->535 536 13bb830-13bb844 call 13b4b87 534->536 537 13bb60f-13bb612 535->537 538 13bb621-13bb62e 535->538 537->536 540 13bb618-13bb61b 537->540 541 13bb631-13bb63d call 13bb5e6 538->541 540->536 540->538 545 13bb64a-13bb653 541->545 546 13bb63f-13bb644 541->546 548 13bb65a-13bb65d 545->548 549 13bb655-13bb658 545->549 546->546 547 13bb646-13bb648 546->547 547->541 550 13bb65f-13bb662 548->550 551 13bb665-13bb66d 548->551 549->550 550->551 552 13bb66f-13bb672 551->552 553 13bb690-13bb693 551->553 554 13bb67c-13bb680 552->554 555 13bb674 552->555 556 13bb6ad-13bb6d4 call 13b6810 553->556 557 13bb695-13bb698 553->557 559 13bb68a-13bb68d 554->559 560 13bb682-13bb684 554->560 558 13bb676-13bb67a 555->558 567 13bb6d7-13bb6e9 call 13bb5e6 556->567 557->556 561 13bb69a-13bb69e 557->561 558->556 559->553 560->559 563 13bb686-13bb688 560->563 564 13bb6a0-13bb6a2 561->564 565 13bb6a4-13bb6aa 561->565 563->558 564->556 564->565 565->556 570 13bb6eb-13bb6f1 567->570 571 13bb6f3-13bb704 call 13bb5e6 567->571 572 13bb71b-13bb727 570->572 577 13bb70a-13bb713 571->577 578 13bb791-13bb794 571->578 575 13bb729-13bb735 572->575 576 13bb797 572->576 579 13bb737 575->579 580 13bb766-13bb769 575->580 581 13bb79a-13bb79e 576->581 583 13bb718 577->583 584 13bb715 577->584 578->576 585 13bb739-13bb73c 579->585 586 13bb73e-13bb741 579->586 582 13bb76c-13bb786 call 13b6580 580->582 587 13bb7ad-13bb7b0 581->587 588 13bb7a0-13bb7a2 581->588 609 13bb789-13bb78c 582->609 583->572 584->583 585->580 585->586 594 13bb743-13bb746 586->594 595 13bb757-13bb762 586->595 589 13bb7df-13bb7ed call 13fd8b0 587->589 590 13bb7b2-13bb7b5 587->590 592 13bb7a7-13bb7ab 588->592 593 13bb7a4 588->593 616 13bb7ef-13bb7f5 589->616 617 13bb7f7-13bb7fa 589->617 596 13bb80f 590->596 597 13bb7b7-13bb7ba 590->597 601 13bb815-13bb81a 592->601 593->592 594->595 602 13bb748-13bb74e 594->602 595->581 598 13bb764 595->598 604 13bb812 596->604 605 13bb7ce-13bb7d3 597->605 606 13bb7bc-13bb7c1 597->606 598->609 607 13bb81e-13bb821 601->607 608 13bb81c 601->608 602->582 603 13bb750 602->603 603->595 611 13bb752-13bb755 603->611 604->601 605->596 615 13bb7d5 605->615 606->589 612 13bb7c3-13bb7c6 606->612 613 13bb829-13bb82f 607->613 614 13bb823-13bb827 607->614 608->607 609->567 611->582 611->595 612->604 618 13bb7c8-13bb7ca 612->618 614->613 615->589 619 13bb7d7-13bb7dd 615->619 616->601 620 13bb7fc-13bb803 617->620 621 13bb805-13bb80d 617->621 618->589 622 13bb7cc 618->622 619->589 619->604 620->601 621->601 622->604
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
              • Instruction ID: c591cae41ccde1842495be059f2e40a8500ca12c715a50f0d1eced1382f7a2a4
              • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
              • Instruction Fuzzy Hash: 4181C270E052499EEF258E6CC8D17FEFFA1AF45328F18411ADA51A7A99EF348840C751
              Function 01379126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 623 1379126-13791db call 13c7eb0 call 13b9020 call 1389950 630 13791f1-13791f8 623->630 631 13791dd-13791ee 623->631 630->631 632 13791fa-1379201 630->632 632->631 633 1379203-137921f call 138a250 632->633 633->631 636 1379221-1379227 633->636 637 13d2518-13d251d 636->637 638 137922d-1379234 636->638 637->631 639 137923a 638->639 640 13d2522-13d2529 638->640 641 1379241-137929e call 1395b20 639->641 640->641 642 13d252f-13d2539 640->642 641->631 645 13792a4-13792ba call 13905a0 641->645 642->641 645->631 648 13792c0-13d256b RtlDebugPrintTimes 645->648 648->631 651 13d2571-13d257a 648->651 652 13d2651-13d265c 651->652 653 13d2580-13d2595 call 138dd20 651->653 655 13d265e-13d2669 RtlDebugPrintTimes ReleaseActCtx 652->655 656 13d26a0-13d26a7 652->656 658 13d259d-13d25cb call 1389950 653->658 659 13d2597-13d2598 call 1383c70 653->659 655->656 656->631 663 13d25cd-13d25ea call 138a250 658->663 664 13d2645-13d264c call 13d2674 658->664 659->658 663->664 668 13d25ec-13d25f2 663->668 664->652 669 13d25fb-13d2638 call 13905a0 668->669 670 13d25f4-13d25f9 668->670 669->664 674 13d263a 669->674 671 13d263f 670->671 671->664 674->671
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: $$@
              • API String ID: 3446177414-1194432280
              • Opcode ID: eb10f7fe17ac1bde8d6c75bfeb5acc14bf9290a654065a470bbd20b8ba71b4d1
              • Instruction ID: 412de7f0294dbb6c6e4383f241da05351b8d4444495c828b8b409ee6c83b61f2
              • Opcode Fuzzy Hash: eb10f7fe17ac1bde8d6c75bfeb5acc14bf9290a654065a470bbd20b8ba71b4d1
              • Instruction Fuzzy Hash: 5F811C72D00269DBDB35DB58DC44BEAB7B8AB48718F0041DAEA19B7250D7745E84CFA0
              Function 0139D7B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 675 139d7b0-139d7cd call 13c7e54 678 139d8f0-139d8ff 675->678 679 139d7d3-139d7e9 675->679 680 139d7ef-139d7f6 679->680 681 13df2b6-13df2b8 679->681 682 139d7fc-139d812 680->682 683 13df2c0-13df2e2 call 13eea12 680->683 681->683 685 139d818-139d820 682->685 686 139d93d-139d961 RtlDebugPrintTimes 682->686 691 13df2ea-13df303 683->691 688 139d829-139d830 685->688 689 139d822-139d824 call 1374859 685->689 686->681 688->691 692 139d836-139d845 688->692 689->688 691->692 694 13df309-13df30f 691->694 695 139d846-139d84c 692->695 696 139d8cd-139d8da GetPEB 694->696 697 139d84e-139d862 695->697 698 139d8c1-139d8cb 695->698 700 139d8e0-139d8e4 696->700 701 13df332-13df335 696->701 697->695 702 139d864-139d86b 697->702 698->696 699 139d900-139d93b call 138dd20 call 138f183 call 139d96f 698->699 699->696 705 139d8eb call 139d978 700->705 706 139d8e6 call 139d9d0 700->706 701->700 704 13df33b-13df346 call 13f1348 701->704 702->695 707 139d86d-139d896 call 138dd20 702->707 704->700 705->678 706->705 716 139d898-139d8b4 call 138ddb1 call 139d966 707->716 717 139d8b6-139d8bf call 138f183 707->717 716->695 717->716
              APIs
              • RtlDebugPrintTimes.NTDLL ref: 0139D959
                • Part of subcall function 01374859: RtlDebugPrintTimes.NTDLL ref: 013748F7
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: $$$$(/$x+
              • API String ID: 3446177414-373281385
              • Opcode ID: 79fa4dcb679273b050b7ec02edc87d93a207ead904ef586ed52e56e86f05c1cb
              • Instruction ID: b0445f73f490a92f41dcb5b3a225d54ad29258abdafb066d4639791c9af911ac
              • Opcode Fuzzy Hash: 79fa4dcb679273b050b7ec02edc87d93a207ead904ef586ed52e56e86f05c1cb
              • Instruction Fuzzy Hash: CE51EF71A0434ADFDF24EFA8D58679EBFB1BF5830CF244019D8056B2A2C774A846CB91
              Function 013B4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: 0Ivw$0Ivw$0Ivw$X
              • API String ID: 3446177414-3775388739
              • Opcode ID: dcbd839cc86851459e16f5e6d9fd307abb2dade08d3ef5284b7232bee02e9a97
              • Instruction ID: c7419f994ad187fc2f0e95a45e85c8f74c0f9cfc5af66c909f45e275bfa78990
              • Opcode Fuzzy Hash: dcbd839cc86851459e16f5e6d9fd307abb2dade08d3ef5284b7232bee02e9a97
              • Instruction Fuzzy Hash: 8A31B43190420AEFEF22DF58D880BCD7BB5AB8875CF05405DFE0556262E7B08A50DF8A
              Function 0139DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
              • API String ID: 3446177414-56086060
              • Opcode ID: cf70c51c39429ef15c8aef7c9de14ae170f02ed25edff46ce0caf671a77ae882
              • Instruction ID: 32b69654a79b2d1d5b502f041d900c808fe3257ee9981adfbc532817ff05b4d2
              • Opcode Fuzzy Hash: cf70c51c39429ef15c8aef7c9de14ae170f02ed25edff46ce0caf671a77ae882
              • Instruction Fuzzy Hash: 55415B32600645DFDB22DF7CC485B6ABBF8EF0072CF148569E50287BA1C778A881CB91
              Function 013F4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
              Download Yara Rule
              APIs
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 013F4899
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 013F4888
              • LdrpCheckRedirection, xrefs: 013F488F
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 3446177414-3154609507
              • Opcode ID: 6a04bf3cbd37ac356646e91ec13558650b063a078deefc1e37524a928af11f96
              • Instruction ID: 773aab46ab470f23fe42fada1f47ffdea598c02cb56fdb51225de55ea31cce0d
              • Opcode Fuzzy Hash: 6a04bf3cbd37ac356646e91ec13558650b063a078deefc1e37524a928af11f96
              • Instruction Fuzzy Hash: 7941AF32A046519FCB21CE6DD840E277FE8AF89A58F06056DEE58D7365D732E804CB91
              Function 0139DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
              • API String ID: 3446177414-3526935505
              • Opcode ID: dd7be55807d30fd5e0e89cc055ec3513f113c983b699106be31d947f2d178e34
              • Instruction ID: cb374eb5312da6be0c6a35c5d487f8968d29984910e798f53535218b4c2ef84a
              • Opcode Fuzzy Hash: dd7be55807d30fd5e0e89cc055ec3513f113c983b699106be31d947f2d178e34
              • Instruction Fuzzy Hash: B231E531204784DFDF26DB6CD44ABA57BECEF0175CF054059E44687BA6C7B8A881CB51
              Function 0136C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: $
              • API String ID: 3446177414-3993045852
              • Opcode ID: 21ee1c38fa4f789f15d146026d8149154beed83d467f5f38319576582826f588
              • Instruction ID: a301a2df54a0731ab4df7ffd1b4cc0b400b1969738e7086c27df47a9b41c23c7
              • Opcode Fuzzy Hash: 21ee1c38fa4f789f15d146026d8149154beed83d467f5f38319576582826f588
              • Instruction Fuzzy Hash: 9911FA32904219EBDF15AFA4E848ADD7B71FF44768F108529F92A662A0CB756E50CB80
              Function 0139EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe65241aff179843ba1a9616337f7afe7f5043b6aef9ff0c2fe25aa952506a8
              • Instruction ID: a6e0d35edbb03c19c1b80f34e6fd4af472f45b97bb34230240947f87025de5c8
              • Opcode Fuzzy Hash: cfe65241aff179843ba1a9616337f7afe7f5043b6aef9ff0c2fe25aa952506a8
              • Instruction Fuzzy Hash: DBE10DB5D00608CFDF25CFA9C980AADBBF9BF48318F24456AE946E7661D770A841CF50
              Function 013EEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID:
              • API String ID: 3446177414-0
              • Opcode ID: e86cdd500ce853417e0b226093dd96840664d0c228dd8f8b615d4438e5992b44
              • Instruction ID: 5262dec086af7138ea4d5370c28663d4e911e393eee81e92b90e68a1a58d1d35
              • Opcode Fuzzy Hash: e86cdd500ce853417e0b226093dd96840664d0c228dd8f8b615d4438e5992b44
              • Instruction Fuzzy Hash: 63712671E003299FDF05CFA8C888ADDBBF9BF49318F15402AE905AB294D774A905CF54
              Function 013EF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID:
              • API String ID: 3446177414-0
              • Opcode ID: ad796ffaff4ad41a4d76d9d4b37a71be4825f8868c8862bca9940597a9e16038
              • Instruction ID: 75563f97528568fb646b56a85770f0b700091e7f37795a1deeb31bdc083a2600
              • Opcode Fuzzy Hash: ad796ffaff4ad41a4d76d9d4b37a71be4825f8868c8862bca9940597a9e16038
              • Instruction Fuzzy Hash: D8511276E002299FEF08CF98D8486DDBBF9BF48358F14812AE915A7290D7B4A941CF54
              Function 013A7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes$BaseInitThreadThunk
              • String ID:
              • API String ID: 4281723722-0
              • Opcode ID: c445a12275bc8088cb7d7c42a62131198c3da7a5d331a7f50a35ce41971f7999
              • Instruction ID: 0bc09868027c80c91977e0cb232a1e7f2d90fd6a7e51db8df27bfe271c198e23
              • Opcode Fuzzy Hash: c445a12275bc8088cb7d7c42a62131198c3da7a5d331a7f50a35ce41971f7999
              • Instruction Fuzzy Hash: DC312475E00229DFDF25DFA8E889A9DBBF0BB48728F20412AE511F72A4DB355900CF54
              Function 013759C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 1decdfc33a658696efee4b5cd7f41624f3c7bd2e323feca612ad5b91b4cdaa3f
              • Instruction ID: 5088559d8c79a46df8dbd16de122377a1b3d31d34cf4a82a141ae478acef0f6d
              • Opcode Fuzzy Hash: 1decdfc33a658696efee4b5cd7f41624f3c7bd2e323feca612ad5b91b4cdaa3f
              • Instruction Fuzzy Hash: 35326970D0466ADFEB35CF68C894BEDBBB4BB08308F0081E9D549A7641D7789A84CF91
              Function 013B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
              • Instruction ID: 2461ee7ba620245fc28a03fed517be43a3545d39dd303473da4b97cb4b7ec675
              • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
              • Instruction Fuzzy Hash: 0891A071E0020A9AEB24DF6DC8C16FEBBA5EFC4768F14451AEB55E7AC0F73089418B15
              Function 0138D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: Bl$l
              • API String ID: 3446177414-208461968
              • Opcode ID: 002764d9f02e31a5cd1fbfe71e31ba79bb2a3a0660020e0f3e4f3e8a331d4677
              • Instruction ID: 0d7ca7e8d230a5897b0cb7ef52d2c6afa739d454a5c5a20deb2f6583c1caac52
              • Opcode Fuzzy Hash: 002764d9f02e31a5cd1fbfe71e31ba79bb2a3a0660020e0f3e4f3e8a331d4677
              • Instruction Fuzzy Hash: 41A1C671A003299BEF31EB9DC890BA9B7B5BB4430CF0440E9D50967691DB74AE85CF52
              Function 013B5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 013B5E34
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: ErrorHandling__start
              • String ID: pow
              • API String ID: 3213639722-2276729525
              • Opcode ID: d11624891ce249e93ced68ccc9df4c31a5c8387a057ecf1631dfb044c7edefe8
              • Instruction ID: 8baaa0f4d329e28d3675ceb4978b5643e5f1bb98447aee7e8e0eaa43558a4fcf
              • Opcode Fuzzy Hash: d11624891ce249e93ced68ccc9df4c31a5c8387a057ecf1631dfb044c7edefe8
              • Instruction Fuzzy Hash: 41515A71E0820AD7D7127A1CC9C53F9AB98EB4070CF14C958E3D986EADFF3484998B46
              Function 013A4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID:
              • String ID: 0$Flst
              • API String ID: 0-758220159
              • Opcode ID: 53b4a2c3ee0a1eb9994fcff529ae79dfb9cb0c5704bf40166af4ee4b9af590c6
              • Instruction ID: 41a4bf3646b7e4c37f9b8f9760c5c036d911135604058dd4a01442577582d42e
              • Opcode Fuzzy Hash: 53b4a2c3ee0a1eb9994fcff529ae79dfb9cb0c5704bf40166af4ee4b9af590c6
              • Instruction Fuzzy Hash: 8D515CB1A00259CFDF26CF99C484669FBF4FF4471CF59806AD14A9B292E7B09985CB80
              Function 0136660A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: x+
              • API String ID: 3446177414-209755895
              • Opcode ID: 595b3a514bd34a387bf92ee9d8c070ea6c3b6bb11346a8b28b15566872942cae
              • Instruction ID: 372dbbbfa464aef4a599e34601990a860629d59a6a16436040f5a0353820682a
              • Opcode Fuzzy Hash: 595b3a514bd34a387bf92ee9d8c070ea6c3b6bb11346a8b28b15566872942cae
              • Instruction Fuzzy Hash: 104136B1B003199FDB24EB6CCC56BED77A9BB50B4CF05011DD545AB2A9DBB0AC00CB91
              Function 013A4D1D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: minkernel\ntdll\ldrsnap.c$x+
              • API String ID: 3446177414-456509414
              • Opcode ID: 34c48e9cc07a3235d8c96ccdc04f386cf8ed9cae7471712e78775e83bd9971c7
              • Instruction ID: 27382b36795f8aa520c11ffe75192594845becd17f3ea36a8dde3a7f723f43e6
              • Opcode Fuzzy Hash: 34c48e9cc07a3235d8c96ccdc04f386cf8ed9cae7471712e78775e83bd9971c7
              • Instruction Fuzzy Hash: 4531EC72900655AEEF329A1CC88DB7576E4FB01B5CF8E4129D90467663D7E0DC8087D6
              Function 013EFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: $
              • API String ID: 3446177414-3993045852
              • Opcode ID: b6e58c21d35abc6cc6f6e8be5a521a498968c8d44c124f2de439556f120b17ad
              • Instruction ID: 386fda35435831db7b509a1066b31f6c2869da24f07b31aaf0e1be870e35bb60
              • Opcode Fuzzy Hash: b6e58c21d35abc6cc6f6e8be5a521a498968c8d44c124f2de439556f120b17ad
              • Instruction Fuzzy Hash: 52418FB5A01319ABDB11DF99C844AEEBBF9FF88B08F140019ED04A7391D7B1A911CB90
              Function 0136DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000016.00000002.1720196476.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 01340000, based on PE: true
              • Associated: 00000016.00000002.1720196476.0000000001340000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001347000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.00000000013C6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001402000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001463000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 00000016.00000002.1720196476.0000000001469000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_1340000_nCPTBp.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: 0$0
              • API String ID: 3446177414-203156872
              • Opcode ID: ae0e9349630de6a00b1ba7134bac8c06f837e5c36b18e058bcaaebab9eb22797
              • Instruction ID: 4263550304d6f963326c6fe86061d086f05716419013d199e38fd88efffb0ecf
              • Opcode Fuzzy Hash: ae0e9349630de6a00b1ba7134bac8c06f837e5c36b18e058bcaaebab9eb22797
              • Instruction Fuzzy Hash: 4A415EB1608706AFD310CF2DC484A56BBE8BB88718F04892EF588DB755D771E909CB96