Edit tour

Windows Analysis Report
z2PaymentAdviceD00772795264733.exe

Overview

General Information

Sample name:	z2PaymentAdviceD00772795264733.exe
Analysis ID:	1559924
MD5:	bb600d9f9b2c015c5dcec1e1a02684bc
SHA1:	8ab327f9aa495f7bc5b2e6101c1152463bedc24a
SHA256:	8dd1167ef29a5c350fd3004da6a685cf48c6c587dac25fc4786f9fd90284b5b1
Tags:	exeuser-Porcupine
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

z2PaymentAdviceD00772795264733.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe" MD5: BB600D9F9B2C015C5DCEC1E1A02684BC)

powershell.exe (PID: 7472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7892 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7572 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

z2PaymentAdviceD00772795264733.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe" MD5: BB600D9F9B2C015C5DCEC1E1A02684BC)

WerFault.exe (PID: 1344 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 196 MD5: C31336C1EFC2CCB44B4326EA793040F2)

YDKFDa.exe (PID: 7792 cmdline: C:\Users\user\AppData\Roaming\YDKFDa.exe MD5: BB600D9F9B2C015C5DCEC1E1A02684BC)

schtasks.exe (PID: 8080 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

YDKFDa.exe (PID: 8124 cmdline: "C:\Users\user\AppData\Roaming\YDKFDa.exe" MD5: BB600D9F9B2C015C5DCEC1E1A02684BC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: z2PaymentAdviceD00772795264733.exe PID: 7312	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: YDKFDa.exe PID: 7792	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.YDKFDa.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
13.2.YDKFDa.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", ParentImage: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe, ParentProcessId: 7312, ParentProcessName: z2PaymentAdviceD00772795264733.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", ProcessId: 7472, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YDKFDa.exe, ParentImage: C:\Users\user\AppData\Roaming\YDKFDa.exe, ParentProcessId: 7792, ParentProcessName: YDKFDa.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp", ProcessId: 8080, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", ParentImage: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe, ParentProcessId: 7312, ParentProcessName: z2PaymentAdviceD00772795264733.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp", ProcessId: 7572, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", ParentImage: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe, ParentProcessId: 7312, ParentProcessName: z2PaymentAdviceD00772795264733.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", ProcessId: 7472, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe", ParentImage: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe, ParentProcessId: 7312, ParentProcessName: z2PaymentAdviceD00772795264733.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp", ProcessId: 7572, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Virustotal: Detection: 31%			Perma Link

Multi AV Scanner detection for submitted file

Source: z2PaymentAdviceD00772795264733.exe	ReversingLabs: Detection: 34%
Source: z2PaymentAdviceD00772795264733.exe	Virustotal: Detection: 31%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 13.2.YDKFDa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.YDKFDa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\YDKFDa.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: z2PaymentAdviceD00772795264733.exe

Joe Sandbox ML: detected

Source: z2PaymentAdviceD00772795264733.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: z2PaymentAdviceD00772795264733.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: YDKFDa.exe, 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: YDKFDa.exe, YDKFDa.exe, 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 4x nop then jmp 070BB014h		0_2_070BB7BF
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 4x nop then jmp 06C3A214h		9_2_06C3A9BF

Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1737008129.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp, YDKFDa.exe, 00000009.00000002.1972590732.00000000027CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr	String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr	String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr	String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 13.2.YDKFDa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.YDKFDa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: z2PaymentAdviceD00772795264733.exe

Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0042C713 NtClose,	13_2_0042C713
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_01AF2DF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_01AF2C70
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF35C0 NtCreateMutant,LdrInitializeThunk,	13_2_01AF35C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF4340 NtSetContextThread,	13_2_01AF4340
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF4650 NtSuspendThread,	13_2_01AF4650
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2BA0 NtEnumerateValueKey,	13_2_01AF2BA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2B80 NtQueryInformationFile,	13_2_01AF2B80
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2BE0 NtQueryValueKey,	13_2_01AF2BE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2BF0 NtAllocateVirtualMemory,	13_2_01AF2BF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2B60 NtClose,	13_2_01AF2B60
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2AB0 NtWaitForSingleObject,	13_2_01AF2AB0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2AF0 NtWriteFile,	13_2_01AF2AF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2AD0 NtReadFile,	13_2_01AF2AD0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2DB0 NtEnumerateKey,	13_2_01AF2DB0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2DD0 NtDelayExecution,	13_2_01AF2DD0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2D30 NtUnmapViewOfSection,	13_2_01AF2D30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2D00 NtSetInformationFile,	13_2_01AF2D00
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2D10 NtMapViewOfSection,	13_2_01AF2D10
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2CA0 NtQueryInformationToken,	13_2_01AF2CA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2CF0 NtOpenProcess,	13_2_01AF2CF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2CC0 NtQueryVirtualMemory,	13_2_01AF2CC0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2C00 NtQueryInformationProcess,	13_2_01AF2C00
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2C60 NtCreateKey,	13_2_01AF2C60
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2FA0 NtQuerySection,	13_2_01AF2FA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2FB0 NtResumeThread,	13_2_01AF2FB0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2F90 NtProtectVirtualMemory,	13_2_01AF2F90
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2FE0 NtCreateFile,	13_2_01AF2FE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2F30 NtCreateSection,	13_2_01AF2F30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2F60 NtCreateProcessEx,	13_2_01AF2F60
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2EA0 NtAdjustPrivilegesToken,	13_2_01AF2EA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2E80 NtReadVirtualMemory,	13_2_01AF2E80
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2EE0 NtQueueApcThread,	13_2_01AF2EE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF2E30 NtWriteVirtualMemory,	13_2_01AF2E30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF3090 NtSetValueKey,	13_2_01AF3090
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF3010 NtOpenDirectoryObject,	13_2_01AF3010
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF39B0 NtGetContextThread,	13_2_01AF39B0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF3D10 NtOpenProcessToken,	13_2_01AF3D10
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF3D70 NtOpenThread,	13_2_01AF3D70

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_00FAD51C	0_2_00FAD51C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070BAE40	0_2_070BAE40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070BCC50	0_2_070BCC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B57CF	0_2_070B57CF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B57E0	0_2_070B57E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B7400	0_2_070B7400
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B53A8	0_2_070B53A8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B4F60	0_2_070B4F60
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B4F70	0_2_070B4F70
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070BAE30	0_2_070BAE30
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B4B28	0_2_070B4B28
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B4B38	0_2_070B4B38
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070BAE40	0_2_070BAE40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310100	8_2_01310100
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01366000	8_2_01366000
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013A02C0	8_2_013A02C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320535	8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01344750	8_2_01344750
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131C7C0	8_2_0131C7C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133C6E0	8_2_0133C6E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01336962	8_2_01336962
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132A840	8_2_0132A840
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01322840	8_2_01322840
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013068B8	8_2_013068B8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01358890	8_2_01358890
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E8F0	8_2_0134E8F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132AD00	8_2_0132AD00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132ED7A	8_2_0132ED7A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01338DBF	8_2_01338DBF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131ADE0	8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01328DC0	8_2_01328DC0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320C00	8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310CF2	8_2_01310CF2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01340F30	8_2_01340F30
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01362F28	8_2_01362F28
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394F40	8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139EFA0	8_2_0139EFA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01312FC8	8_2_01312FC8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320E59	8_2_01320E59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01332E90	8_2_01332E90
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130F172	8_2_0130F172
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0135516C	8_2_0135516C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132B1B0	8_2_0132B1B0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130D34C	8_2_0130D34C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013233F3	8_2_013233F3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013252A0	8_2_013252A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133D2F0	8_2_0133D2F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133B2C0	8_2_0133B2C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01311460	8_2_01311460
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01323497	8_2_01323497
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013674E0	8_2_013674E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132B730	8_2_0132B730
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01329950	8_2_01329950
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133B950	8_2_0133B950
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01325990	8_2_01325990
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138D800	8_2_0138D800
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013238E0	8_2_013238E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133FB80	8_2_0133FB80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01395BF0	8_2_01395BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0135DBF9	8_2_0135DBF9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01393A6C	8_2_01393A6C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01323D40	8_2_01323D40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133FDC0	8_2_0133FDC0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01399C32	8_2_01399C32
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01339C20	8_2_01339C20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01321F92	8_2_01321F92
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01329EB0	8_2_01329EB0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0042ED23	8_2_0042ED23
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_00CAD51C	9_2_00CAD51C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_04CF6BE0	9_2_04CF6BE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_04CF0040	9_2_04CF0040
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_04CF0007	9_2_04CF0007
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_04CF6BD8	9_2_04CF6BD8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_04CF6BD1	9_2_04CF6BD1
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_052B5EE8	9_2_052B5EE8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_052BC520	9_2_052BC520
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_052B5020	9_2_052B5020
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C3BE50	9_2_06C3BE50
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C3A040	9_2_06C3A040
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C357D9	9_2_06C357D9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C357E0	9_2_06C357E0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C34F69	9_2_06C34F69
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C34F70	9_2_06C34F70
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C3A040	9_2_06C3A040
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C37400	9_2_06C37400
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C353A8	9_2_06C353A8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C34B28	9_2_06C34B28
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C34B38	9_2_06C34B38
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C3A03E	9_2_06C3A03E
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_00403040	13_2_00403040
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0041694E	13_2_0041694E
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_00416953	13_2_00416953
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040E153	13_2_0040E153
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_00410173	13_2_00410173
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_00401210	13_2_00401210
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040E297	13_2_0040E297
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040E2A3	13_2_0040E2A3
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_00402440	13_2_00402440
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040243B	13_2_0040243B
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0042ED23	13_2_0042ED23
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040FF53	13_2_0040FF53
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_004027A0	13_2_004027A0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B801AA	13_2_01B801AA
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B741A2	13_2_01B741A2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B781CC	13_2_01B781CC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AB0100	13_2_01AB0100
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B5A118	13_2_01B5A118
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B48158	13_2_01B48158
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B52000	13_2_01B52000
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ACE3F0	13_2_01ACE3F0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B803E6	13_2_01B803E6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7A352	13_2_01B7A352
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B402C0	13_2_01B402C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B60274	13_2_01B60274
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B80591	13_2_01B80591
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC0535	13_2_01AC0535
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B6E4F6	13_2_01B6E4F6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B64420	13_2_01B64420
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B72446	13_2_01B72446
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ABC7C0	13_2_01ABC7C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC0770	13_2_01AC0770
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AE4750	13_2_01AE4750
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ADC6E0	13_2_01ADC6E0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC29A0	13_2_01AC29A0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B8A9A6	13_2_01B8A9A6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AD6962	13_2_01AD6962
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AA68B8	13_2_01AA68B8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AEE8F0	13_2_01AEE8F0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ACA840	13_2_01ACA840
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC2840	13_2_01AC2840
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B76BD7	13_2_01B76BD7
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7AB40	13_2_01B7AB40
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ABEA80	13_2_01ABEA80
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AD8DBF	13_2_01AD8DBF
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ABADE0	13_2_01ABADE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B5CD1F	13_2_01B5CD1F
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ACAD00	13_2_01ACAD00
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B60CB5	13_2_01B60CB5
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AB0CF2	13_2_01AB0CF2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC0C00	13_2_01AC0C00
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B3EFA0	13_2_01B3EFA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AB2FC8	13_2_01AB2FC8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B62F30	13_2_01B62F30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B02F28	13_2_01B02F28
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AE0F30	13_2_01AE0F30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B34F40	13_2_01B34F40
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7CE93	13_2_01B7CE93
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AD2E90	13_2_01AD2E90
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7EEDB	13_2_01B7EEDB
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7EE26	13_2_01B7EE26
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC0E59	13_2_01AC0E59
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ACB1B0	13_2_01ACB1B0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AF516C	13_2_01AF516C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B8B16B	13_2_01B8B16B
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AAF172	13_2_01AAF172
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7F0E0	13_2_01B7F0E0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B770E9	13_2_01B770E9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC70C0	13_2_01AC70C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B6F0CC	13_2_01B6F0CC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B0739A	13_2_01B0739A
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7132D	13_2_01B7132D
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AAD34C	13_2_01AAD34C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC52A0	13_2_01AC52A0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B612ED	13_2_01B612ED
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ADB2C0	13_2_01ADB2C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B5D5B0	13_2_01B5D5B0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B895C3	13_2_01B895C3
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B77571	13_2_01B77571
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7F43F	13_2_01B7F43F
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AB1460	13_2_01AB1460
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7F7B0	13_2_01B7F7B0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B716CC	13_2_01B716CC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B05630	13_2_01B05630
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B55910	13_2_01B55910
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC9950	13_2_01AC9950
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ADB950	13_2_01ADB950
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC38E0	13_2_01AC38E0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B2D800	13_2_01B2D800
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ADFB80	13_2_01ADFB80
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B35BF0	13_2_01B35BF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AFDBF9	13_2_01AFDBF9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7FB76	13_2_01B7FB76
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B05AA0	13_2_01B05AA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B61AA3	13_2_01B61AA3
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B5DAAC	13_2_01B5DAAC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B6DAC6	13_2_01B6DAC6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B33A6C	13_2_01B33A6C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B77A46	13_2_01B77A46
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7FA49	13_2_01B7FA49
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01ADFDC0	13_2_01ADFDC0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B77D73	13_2_01B77D73
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC3D40	13_2_01AC3D40
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B71D5A	13_2_01B71D5A
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7FCF2	13_2_01B7FCF2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B39C32	13_2_01B39C32
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7FFB1	13_2_01B7FFB1
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC1F92	13_2_01AC1F92
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01A83FD2	13_2_01A83FD2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01A83FD5	13_2_01A83FD5
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01B7FF09	13_2_01B7FF09
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AC9EB0	13_2_01AC9EB0

Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: String function: 01AAB970 appears 265 times
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: String function: 01B3F290 appears 105 times
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: String function: 01B07E54 appears 108 times
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: String function: 01B2EA12 appears 86 times
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: String function: 01AF5130 appears 58 times
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: String function: 01367E54 appears 96 times
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: String function: 0138EA12 appears 36 times

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 196

Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741267977.00000000053A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1737448738.0000000003C69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1743663404.0000000007400000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1733845497.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRutq.exe4 vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe	Binary or memory string: OriginalFilenameRutq.exe4 vs z2PaymentAdviceD00772795264733.exe

Source: z2PaymentAdviceD00772795264733.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: z2PaymentAdviceD00772795264733.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YDKFDa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, KclBcqQh9EO5xB8FFV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, KclBcqQh9EO5xB8FFV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/20@0/0

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

File created: C:\Users\user\AppData\Roaming\YDKFDa.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZAgVEtzlouGRfEVeNhaUyLVh
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7736

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB018.tmp

Jump to behavior

Source: z2PaymentAdviceD00772795264733.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z2PaymentAdviceD00772795264733.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);

Source: z2PaymentAdviceD00772795264733.exe	ReversingLabs: Detection: 34%
Source: z2PaymentAdviceD00772795264733.exe	Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

File read: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YDKFDa.exe C:\Users\user\AppData\Roaming\YDKFDa.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process created: C:\Users\user\AppData\Roaming\YDKFDa.exe "C:\Users\user\AppData\Roaming\YDKFDa.exe"
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 196
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process created: C:\Users\user\AppData\Roaming\YDKFDa.exe "C:\Users\user\AppData\Roaming\YDKFDa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: z2PaymentAdviceD00772795264733.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z2PaymentAdviceD00772795264733.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: YDKFDa.exe, 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: YDKFDa.exe, YDKFDa.exe, 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: z2PaymentAdviceD00772795264733.exe, InnerForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: YDKFDa.exe.0.dr, InnerForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	.Net Code: na20fbkxvCbswZsQi8E System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	.Net Code: na20fbkxvCbswZsQi8E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_00FADB84 pushfd ; ret	0_2_00FADB89
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 0_2_070B7210 push eax; ret	0_2_070B7211
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0135C54D pushfd ; ret	8_2_0135C54E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0135C54F push 8B012E67h; ret	8_2_0135C554
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013109AD push ecx; mov dword ptr [esp], ecx	8_2_013109B6
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0135C9D7 push edi; ret	8_2_0135C9D9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_012E1368 push eax; iretd	8_2_012E1369
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_012E1FEC push eax; iretd	8_2_012E1FED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01367E99 push ecx; ret	8_2_01367EAC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_04CF3F14 push 00000039h; iretd	9_2_04CF3F16
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_04CF5B27 push ecx; iretd	9_2_04CF5B28
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C33291 pushfd ; retn 0006h	9_2_06C33292
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C33268 pushfd ; retn 0006h	9_2_06C3326A
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 9_2_06C37210 push eax; ret	9_2_06C37211
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040587C push edi; iretd	13_2_0040587D
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_004118C9 pushfd ; iretd	13_2_004118D6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0041713B push cs; iretd	13_2_0041714A
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_004032C0 push eax; ret	13_2_004032C2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040AABE push edi; retf	13_2_0040AABF
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_00414C5F push cs; retf	13_2_00414C69
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0041EDFB push ss; retf	13_2_0041EE2D
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040D580 push ebx; iretd	13_2_0040D581
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040ADAA push esi; retf	13_2_0040ADAD
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_00423E23 push 0000006Dh; iretd	13_2_00423E2C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_0040163A pushad ; retf	13_2_004016C1
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01A8225F pushad ; ret	13_2_01A827F9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01A827FA pushad ; ret	13_2_01A827F9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01AB09AD push ecx; mov dword ptr [esp], ecx	13_2_01AB09B6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01A8283D push eax; iretd	13_2_01A82858
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Code function: 13_2_01A81368 push eax; iretd	13_2_01A81369

Source: z2PaymentAdviceD00772795264733.exe	Static PE information: section name: .text entropy: 7.559709019658348
Source: YDKFDa.exe.0.dr	Static PE information: section name: .text entropy: 7.559709019658348

Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, nYmvkdAhZCTYJuCKng.cs	High entropy of concatenated method names: 'Of1gTWHDQM', 'uZIguuIFH7', 'p2mgg9clij', 'NbFgYPwWEj', 'ti0gw9JmyB', 'PNmgjHGfy7', 'Dispose', 'B2X5kZRTZ9', 'kkV5qLvpok', 'vVl594D9pd'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, K1cJufyyCIR2KIpHJ9.cs	High entropy of concatenated method names: 'w9qfDqVUum', 'AhWfZOTKO9', 'SGf9EfGd1e', 'DxE9oWHjqD', 'eBf919pwyb', 'Sq69aPH0mQ', 'equ9iMRMpa', 'ydP9VZEOAZ', 'CsE90dMGGE', 'O9s92hfXsb'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, Yy2ZFgqwegfi3FfEQt.cs	High entropy of concatenated method names: 'Dispose', 'PTYxNJuCKn', 'T0QclsOZuN', 'XtehktNMnh', 'svUxGel8Fi', 'x4IxzFVEHF', 'ProcessDialogKey', 'XLZctb816g', 'lDWcxobXNK', 'lWbccgu07t'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	High entropy of concatenated method names: 'Tb9HP5lPN1', 'KLwHk4JiBZ', 'WbbHq2ZZ9r', 'G6CH9brl87', 'Qi7HfWMXCC', 'd4pHn82Gp6', 'fubHFd6JMx', 'kilHBlp8TA', 'HsrHOcgNUN', 'OlbHrkAq9a'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, ru07t6GJ9lAd9dj6MC.cs	High entropy of concatenated method names: 'm3B39xV5qW', 'Vtt3fZbZ7L', 'FsW3n9LqUV', 't3R3FXXsO3', 'nw23g3FKAQ', 'o9E3BLCvXl', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, BRTYplzfvjAyl2MOEb.cs	High entropy of concatenated method names: 'vSK3J7h3JM', 'qUg3Qjiueh', 'dnc3bClPli', 'yqe3Svl1GT', 'aEl3l9gqYm', 'G0O3owvxD2', 'wtL31rDiWL', 'FRQ3jYwrUK', 'KEZ3hfkAKc', 'fwd3KawluM'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, xMnfXU0XNQ1ICiOOEr.cs	High entropy of concatenated method names: 'Qn2Fhkomjx', 'Hn1FKYuroc', 'IqvFe3XrZd', 'wSwFX86CEJ', 'I58FDOiXUh', 'YTDFJQBmmV', 'hpqFZIHjWS', 'T7jFQbQoyl', 'Yw6FbD40fh', 'kmXFyv7Kxk'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, uFmxiaRiFr2QYCpV8s.cs	High entropy of concatenated method names: 'lyixFclBcq', 'x9ExBO5xB8', 'MLGxrnffu3', 'h0oxMra1cJ', 'TpHxTJ91ds', 'qC3xsHhQ33', 'IGl0bmfw6ZP44gR6nJ', 'XcMdYGq5LMtGCb4Evq', 'P52xxd6wMT', 'FUmxHwOlfu'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, BowMBBcoHQWY7UbhLX.cs	High entropy of concatenated method names: 'aQLeN9q9q', 'vlbXJZQTq', 'a3yJBqiix', 'xSLZtm80L', 'm95bvwq89', 'udgyFA9M9', 'tDcbPNwCVn2HvLcP3L', 'z7k78v0qUlhKJ3pO58', 'Bqa57FeHZ', 'En43eR8Wx'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, F5EVg8xHOk1fwqogjLZ.cs	High entropy of concatenated method names: 'pDGYGUUgch', 'FiMYzXLlYe', 'cvd6t4VfY5', 'IIciZMcRfmCJk1lVUGe', 'c1eUiXcMKDNQoFyNqmZ', 'MHemprcUdf1wJ5PMix5', 'BvOWebcmrJZjA3twxGW', 'JwahUdcys2naV7wX8it'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, JdsuC3SHhQ3393ODHe.cs	High entropy of concatenated method names: 'uFfnP5pOkB', 'sVNnqSskIG', 'f2Jnfl7k4w', 'vEGnF5vfOr', 'XilnBXTakN', 'X1lf8S8kIw', 'MaGfpsVpPR', 'e2yfAMgpUO', 'xUkfLBfqcR', 'cWxfNcMdV8'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, cXsjaxxR9WVEt6jwxfJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIC6gv6uwH', 'duI63TFi6u', 'bO26Ylwrhs', 'il666Ev8P8', 'VfY6wxbuod', 's4m6mp2pci', 'l0k6jFJmS2'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, Avjx1C76uigvtU6Qws.cs	High entropy of concatenated method names: 'tvOUQucBuw', 'EbdUbheP8A', 'A3sUSKnFSP', 'xcpUleTGwZ', 'qwOUoy5JrT', 'D1lU1vbJr1', 'l0pUiHrio7', 'oAvUVRWVDN', 'K96U2skIiL', 'dCuUWXnoFL'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, Db816gNODWobXNKOWb.cs	High entropy of concatenated method names: 'j3bgSGuTgM', 'abmglaXKJt', 'kBvgEOvDrr', 'OHsgostY2g', 'rLIg1Tll5h', 'KoygaEmv5x', 'kOGgiHKhkZ', 'RnMgVob5Gb', 'lF8g0f4xoY', 'dM7g28MZQy'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, KclBcqQh9EO5xB8FFV.cs	High entropy of concatenated method names: 'inNq4myadW', 'jrmqdkrh9o', 'CKXqvSirpx', 'EOJqIyBaOh', 'eDtq8qD8XC', 'Kqjqp87vI0', 'bjxqAk0F8a', 'joCqL0Y6i2', 'LQDqNXePJt', 'aBhqGyrqGV'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, j4pcLcvHWRp4PuZTlQ.cs	High entropy of concatenated method names: 'ToString', 'U11sWV2XCI', 'gTLslQvjel', 'JVnsEykBDT', 'ivDso9JyHK', 'FP8s1mmDAc', 'kj4saeYOnI', 'iHasiKunK0', 'XFIsVV1Am7', 'OiNs0eUaLv'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, X39TauIjDMCm1sa1xU.cs	High entropy of concatenated method names: 'nBOurEU7bS', 'VT5uMVeflB', 'ToString', 'K3eukBouq0', 'ubRuqeFynm', 'Ft8u9Ho3XV', 's2Xuftl2CT', 'pZ9unitQDP', 'zlAuFOKHVa', 'tIBuBpo0XR'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, aqKuXnp4ZmPrRxRDrx.cs	High entropy of concatenated method names: 'N1VuLW8Zk3', 'SsluG94Cdr', 'yES5txbAgO', 'pPY5x2Clxs', 'tRsuWTYhE3', 'VAVuC2IsdG', 'FLau70B9HP', 'OU4u42Tunu', 'IT0udWaqFB', 'vbSuv883e9'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, mXGWpgxxAZFw381ML7N.cs	High entropy of concatenated method names: 'f1c3GSDgKq', 'ENt3zIMPlx', 'jxpYtONDeV', 'naGYx9dq5m', 'jqfYcS0pMY', 'lB5YHTTlth', 'K47YRjtEvy', 'egEYPA1CyM', 'TuaYkeWNhs', 'wK1YqMNjdo'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, d7M2AVbLGnffu390or.cs	High entropy of concatenated method names: 'smc9X5nRJd', 'jm99JffGic', 'Rqk9Q6Selu', 'jbB9bCNg0s', 'I3p9T8xfNQ', 'Cjx9sS5gc2', 'HBw9ui8Gvd', 'cpx95G9lOW', 'rmi9gxMUgF', 'h8V93v0LWF'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, unuVG2iWVfBeNU5qM5.cs	High entropy of concatenated method names: 'YRhFkblV54', 'jkBF9PuayM', 'NdqFnbkE6I', 'DrSnGnL7FW', 'ERSnzhgc4m', 'oIUFtDLVXH', 'MHpFxcS2qu', 'ziUFctCShR', 'onbFH8NrTj', 'VdCFRrItf5'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, I3XxJdxt0LPKVUcBRnY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u3v3W847Ch', 'A4d3C9Mldt', 'yM437vWmgQ', 'RN334xrdJX', 'QQO3dnkr8a', 'EvL3vMUij3', 'MLn3I17TQY'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, qI8ifR4gNHogmluKif.cs	High entropy of concatenated method names: 'wYsT2NaVgv', 'joWTCxMvSq', 'PysT4jeQ3d', 'uSjTdkiGM1', 'HYSTl06ZO3', 'DnpTE0sK5N', 'S0BToeJk9k', 'htlT1XWZCw', 'DDZTaU4XqI', 'Rt4TiAlomP'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, nYmvkdAhZCTYJuCKng.cs	High entropy of concatenated method names: 'Of1gTWHDQM', 'uZIguuIFH7', 'p2mgg9clij', 'NbFgYPwWEj', 'ti0gw9JmyB', 'PNmgjHGfy7', 'Dispose', 'B2X5kZRTZ9', 'kkV5qLvpok', 'vVl594D9pd'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, K1cJufyyCIR2KIpHJ9.cs	High entropy of concatenated method names: 'w9qfDqVUum', 'AhWfZOTKO9', 'SGf9EfGd1e', 'DxE9oWHjqD', 'eBf919pwyb', 'Sq69aPH0mQ', 'equ9iMRMpa', 'ydP9VZEOAZ', 'CsE90dMGGE', 'O9s92hfXsb'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, Yy2ZFgqwegfi3FfEQt.cs	High entropy of concatenated method names: 'Dispose', 'PTYxNJuCKn', 'T0QclsOZuN', 'XtehktNMnh', 'svUxGel8Fi', 'x4IxzFVEHF', 'ProcessDialogKey', 'XLZctb816g', 'lDWcxobXNK', 'lWbccgu07t'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs	High entropy of concatenated method names: 'Tb9HP5lPN1', 'KLwHk4JiBZ', 'WbbHq2ZZ9r', 'G6CH9brl87', 'Qi7HfWMXCC', 'd4pHn82Gp6', 'fubHFd6JMx', 'kilHBlp8TA', 'HsrHOcgNUN', 'OlbHrkAq9a'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, ru07t6GJ9lAd9dj6MC.cs	High entropy of concatenated method names: 'm3B39xV5qW', 'Vtt3fZbZ7L', 'FsW3n9LqUV', 't3R3FXXsO3', 'nw23g3FKAQ', 'o9E3BLCvXl', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, BRTYplzfvjAyl2MOEb.cs	High entropy of concatenated method names: 'vSK3J7h3JM', 'qUg3Qjiueh', 'dnc3bClPli', 'yqe3Svl1GT', 'aEl3l9gqYm', 'G0O3owvxD2', 'wtL31rDiWL', 'FRQ3jYwrUK', 'KEZ3hfkAKc', 'fwd3KawluM'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, xMnfXU0XNQ1ICiOOEr.cs	High entropy of concatenated method names: 'Qn2Fhkomjx', 'Hn1FKYuroc', 'IqvFe3XrZd', 'wSwFX86CEJ', 'I58FDOiXUh', 'YTDFJQBmmV', 'hpqFZIHjWS', 'T7jFQbQoyl', 'Yw6FbD40fh', 'kmXFyv7Kxk'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, uFmxiaRiFr2QYCpV8s.cs	High entropy of concatenated method names: 'lyixFclBcq', 'x9ExBO5xB8', 'MLGxrnffu3', 'h0oxMra1cJ', 'TpHxTJ91ds', 'qC3xsHhQ33', 'IGl0bmfw6ZP44gR6nJ', 'XcMdYGq5LMtGCb4Evq', 'P52xxd6wMT', 'FUmxHwOlfu'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, BowMBBcoHQWY7UbhLX.cs	High entropy of concatenated method names: 'aQLeN9q9q', 'vlbXJZQTq', 'a3yJBqiix', 'xSLZtm80L', 'm95bvwq89', 'udgyFA9M9', 'tDcbPNwCVn2HvLcP3L', 'z7k78v0qUlhKJ3pO58', 'Bqa57FeHZ', 'En43eR8Wx'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, F5EVg8xHOk1fwqogjLZ.cs	High entropy of concatenated method names: 'pDGYGUUgch', 'FiMYzXLlYe', 'cvd6t4VfY5', 'IIciZMcRfmCJk1lVUGe', 'c1eUiXcMKDNQoFyNqmZ', 'MHemprcUdf1wJ5PMix5', 'BvOWebcmrJZjA3twxGW', 'JwahUdcys2naV7wX8it'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, JdsuC3SHhQ3393ODHe.cs	High entropy of concatenated method names: 'uFfnP5pOkB', 'sVNnqSskIG', 'f2Jnfl7k4w', 'vEGnF5vfOr', 'XilnBXTakN', 'X1lf8S8kIw', 'MaGfpsVpPR', 'e2yfAMgpUO', 'xUkfLBfqcR', 'cWxfNcMdV8'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, cXsjaxxR9WVEt6jwxfJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIC6gv6uwH', 'duI63TFi6u', 'bO26Ylwrhs', 'il666Ev8P8', 'VfY6wxbuod', 's4m6mp2pci', 'l0k6jFJmS2'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, Avjx1C76uigvtU6Qws.cs	High entropy of concatenated method names: 'tvOUQucBuw', 'EbdUbheP8A', 'A3sUSKnFSP', 'xcpUleTGwZ', 'qwOUoy5JrT', 'D1lU1vbJr1', 'l0pUiHrio7', 'oAvUVRWVDN', 'K96U2skIiL', 'dCuUWXnoFL'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, Db816gNODWobXNKOWb.cs	High entropy of concatenated method names: 'j3bgSGuTgM', 'abmglaXKJt', 'kBvgEOvDrr', 'OHsgostY2g', 'rLIg1Tll5h', 'KoygaEmv5x', 'kOGgiHKhkZ', 'RnMgVob5Gb', 'lF8g0f4xoY', 'dM7g28MZQy'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, KclBcqQh9EO5xB8FFV.cs	High entropy of concatenated method names: 'inNq4myadW', 'jrmqdkrh9o', 'CKXqvSirpx', 'EOJqIyBaOh', 'eDtq8qD8XC', 'Kqjqp87vI0', 'bjxqAk0F8a', 'joCqL0Y6i2', 'LQDqNXePJt', 'aBhqGyrqGV'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, j4pcLcvHWRp4PuZTlQ.cs	High entropy of concatenated method names: 'ToString', 'U11sWV2XCI', 'gTLslQvjel', 'JVnsEykBDT', 'ivDso9JyHK', 'FP8s1mmDAc', 'kj4saeYOnI', 'iHasiKunK0', 'XFIsVV1Am7', 'OiNs0eUaLv'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, X39TauIjDMCm1sa1xU.cs	High entropy of concatenated method names: 'nBOurEU7bS', 'VT5uMVeflB', 'ToString', 'K3eukBouq0', 'ubRuqeFynm', 'Ft8u9Ho3XV', 's2Xuftl2CT', 'pZ9unitQDP', 'zlAuFOKHVa', 'tIBuBpo0XR'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, aqKuXnp4ZmPrRxRDrx.cs	High entropy of concatenated method names: 'N1VuLW8Zk3', 'SsluG94Cdr', 'yES5txbAgO', 'pPY5x2Clxs', 'tRsuWTYhE3', 'VAVuC2IsdG', 'FLau70B9HP', 'OU4u42Tunu', 'IT0udWaqFB', 'vbSuv883e9'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, mXGWpgxxAZFw381ML7N.cs	High entropy of concatenated method names: 'f1c3GSDgKq', 'ENt3zIMPlx', 'jxpYtONDeV', 'naGYx9dq5m', 'jqfYcS0pMY', 'lB5YHTTlth', 'K47YRjtEvy', 'egEYPA1CyM', 'TuaYkeWNhs', 'wK1YqMNjdo'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, d7M2AVbLGnffu390or.cs	High entropy of concatenated method names: 'smc9X5nRJd', 'jm99JffGic', 'Rqk9Q6Selu', 'jbB9bCNg0s', 'I3p9T8xfNQ', 'Cjx9sS5gc2', 'HBw9ui8Gvd', 'cpx95G9lOW', 'rmi9gxMUgF', 'h8V93v0LWF'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, unuVG2iWVfBeNU5qM5.cs	High entropy of concatenated method names: 'YRhFkblV54', 'jkBF9PuayM', 'NdqFnbkE6I', 'DrSnGnL7FW', 'ERSnzhgc4m', 'oIUFtDLVXH', 'MHpFxcS2qu', 'ziUFctCShR', 'onbFH8NrTj', 'VdCFRrItf5'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, I3XxJdxt0LPKVUcBRnY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u3v3W847Ch', 'A4d3C9Mldt', 'yM437vWmgQ', 'RN334xrdJX', 'QQO3dnkr8a', 'EvL3vMUij3', 'MLn3I17TQY'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, qI8ifR4gNHogmluKif.cs	High entropy of concatenated method names: 'wYsT2NaVgv', 'joWTCxMvSq', 'PysT4jeQ3d', 'uSjTdkiGM1', 'HYSTl06ZO3', 'DnpTE0sK5N', 'S0BToeJk9k', 'htlT1XWZCw', 'DDZTaU4XqI', 'Rt4TiAlomP'

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

File created: C:\Users\user\AppData\Roaming\YDKFDa.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: z2PaymentAdviceD00772795264733.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YDKFDa.exe PID: 7792, type: MEMORYSTR

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Memory allocated: 78C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Memory allocated: 88C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Memory allocated: 8A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Memory allocated: 9A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Memory allocated: 4770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Memory allocated: 71B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Memory allocated: 81B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Memory allocated: 8350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Memory allocated: 9350000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Code function: 8_2_0130E0D0 rdtsc

8_2_0130E0D0

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5837			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5321			Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	API coverage: 0.1 %
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	API coverage: 0.6 %

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe TID: 7332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe TID: 7828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe TID: 8128	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1733845497.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\'
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1733845497.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Code function: 8_2_0130E0D0 rdtsc

8_2_0130E0D0

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Code function: 8_2_01352DF0 LdrInitializeThunk,

8_2_01352DF0

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01340124 mov eax, dword ptr fs:[00000030h]	8_2_01340124
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01352160 mov eax, dword ptr fs:[00000030h]	8_2_01352160
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316154 mov eax, dword ptr fs:[00000030h]	8_2_01316154
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316154 mov eax, dword ptr fs:[00000030h]	8_2_01316154
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130C156 mov eax, dword ptr fs:[00000030h]	8_2_0130C156
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01312140 mov ecx, dword ptr fs:[00000030h]	8_2_01312140
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01312140 mov eax, dword ptr fs:[00000030h]	8_2_01312140
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139019F mov eax, dword ptr fs:[00000030h]	8_2_0139019F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139019F mov eax, dword ptr fs:[00000030h]	8_2_0139019F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139019F mov eax, dword ptr fs:[00000030h]	8_2_0139019F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139019F mov eax, dword ptr fs:[00000030h]	8_2_0139019F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A197 mov eax, dword ptr fs:[00000030h]	8_2_0130A197
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A197 mov eax, dword ptr fs:[00000030h]	8_2_0130A197
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A197 mov eax, dword ptr fs:[00000030h]	8_2_0130A197
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01350185 mov eax, dword ptr fs:[00000030h]	8_2_01350185
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013401F8 mov eax, dword ptr fs:[00000030h]	8_2_013401F8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013261D1 mov eax, dword ptr fs:[00000030h]	8_2_013261D1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013261D1 mov eax, dword ptr fs:[00000030h]	8_2_013261D1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E1D0 mov ecx, dword ptr fs:[00000030h]	8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0136E1D8 mov eax, dword ptr fs:[00000030h]	8_2_0136E1D8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130C020 mov eax, dword ptr fs:[00000030h]	8_2_0130C020
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A020 mov eax, dword ptr fs:[00000030h]	8_2_0130A020
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132E016 mov eax, dword ptr fs:[00000030h]	8_2_0132E016
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132E016 mov eax, dword ptr fs:[00000030h]	8_2_0132E016
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132E016 mov eax, dword ptr fs:[00000030h]	8_2_0132E016
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132E016 mov eax, dword ptr fs:[00000030h]	8_2_0132E016
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394000 mov ecx, dword ptr fs:[00000030h]	8_2_01394000
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133C073 mov eax, dword ptr fs:[00000030h]	8_2_0133C073
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A060 mov eax, dword ptr fs:[00000030h]	8_2_0134A060
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01312050 mov eax, dword ptr fs:[00000030h]	8_2_01312050
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01396050 mov eax, dword ptr fs:[00000030h]	8_2_01396050
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013080A0 mov eax, dword ptr fs:[00000030h]	8_2_013080A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131208A mov eax, dword ptr fs:[00000030h]	8_2_0131208A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130C0F0 mov eax, dword ptr fs:[00000030h]	8_2_0130C0F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013520F0 mov ecx, dword ptr fs:[00000030h]	8_2_013520F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A0E3 mov ecx, dword ptr fs:[00000030h]	8_2_0130A0E3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013180E9 mov eax, dword ptr fs:[00000030h]	8_2_013180E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013960E0 mov eax, dword ptr fs:[00000030h]	8_2_013960E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013920DE mov eax, dword ptr fs:[00000030h]	8_2_013920DE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01312324 mov eax, dword ptr fs:[00000030h]	8_2_01312324
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130C310 mov ecx, dword ptr fs:[00000030h]	8_2_0130C310
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01330310 mov ecx, dword ptr fs:[00000030h]	8_2_01330310
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A30B mov eax, dword ptr fs:[00000030h]	8_2_0134A30B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A30B mov eax, dword ptr fs:[00000030h]	8_2_0134A30B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A30B mov eax, dword ptr fs:[00000030h]	8_2_0134A30B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h]	8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h]	8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h]	8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139035C mov ecx, dword ptr fs:[00000030h]	8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h]	8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h]	8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h]	8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308397 mov eax, dword ptr fs:[00000030h]	8_2_01308397
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308397 mov eax, dword ptr fs:[00000030h]	8_2_01308397
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308397 mov eax, dword ptr fs:[00000030h]	8_2_01308397
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130E388 mov eax, dword ptr fs:[00000030h]	8_2_0130E388
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130E388 mov eax, dword ptr fs:[00000030h]	8_2_0130E388
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130E388 mov eax, dword ptr fs:[00000030h]	8_2_0130E388
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133438F mov eax, dword ptr fs:[00000030h]	8_2_0133438F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133438F mov eax, dword ptr fs:[00000030h]	8_2_0133438F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013463FF mov eax, dword ptr fs:[00000030h]	8_2_013463FF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h]	8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h]	8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h]	8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h]	8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h]	8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h]	8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h]	8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h]	8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h]	8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013183C0 mov eax, dword ptr fs:[00000030h]	8_2_013183C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013183C0 mov eax, dword ptr fs:[00000030h]	8_2_013183C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013183C0 mov eax, dword ptr fs:[00000030h]	8_2_013183C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013183C0 mov eax, dword ptr fs:[00000030h]	8_2_013183C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013963C0 mov eax, dword ptr fs:[00000030h]	8_2_013963C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130823B mov eax, dword ptr fs:[00000030h]	8_2_0130823B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320218 mov eax, dword ptr fs:[00000030h]	8_2_01320218
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01314260 mov eax, dword ptr fs:[00000030h]	8_2_01314260
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01314260 mov eax, dword ptr fs:[00000030h]	8_2_01314260
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01314260 mov eax, dword ptr fs:[00000030h]	8_2_01314260
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130826B mov eax, dword ptr fs:[00000030h]	8_2_0130826B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A250 mov eax, dword ptr fs:[00000030h]	8_2_0130A250
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316259 mov eax, dword ptr fs:[00000030h]	8_2_01316259
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01398243 mov eax, dword ptr fs:[00000030h]	8_2_01398243
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01398243 mov ecx, dword ptr fs:[00000030h]	8_2_01398243
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013202A0 mov eax, dword ptr fs:[00000030h]	8_2_013202A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013202A0 mov eax, dword ptr fs:[00000030h]	8_2_013202A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E284 mov eax, dword ptr fs:[00000030h]	8_2_0134E284
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E284 mov eax, dword ptr fs:[00000030h]	8_2_0134E284
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01390283 mov eax, dword ptr fs:[00000030h]	8_2_01390283
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01390283 mov eax, dword ptr fs:[00000030h]	8_2_01390283
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01390283 mov eax, dword ptr fs:[00000030h]	8_2_01390283
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013202E1 mov eax, dword ptr fs:[00000030h]	8_2_013202E1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013202E1 mov eax, dword ptr fs:[00000030h]	8_2_013202E1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013202E1 mov eax, dword ptr fs:[00000030h]	8_2_013202E1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h]	8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h]	8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h]	8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h]	8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h]	8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h]	8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h]	8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h]	8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h]	8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h]	8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h]	8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h]	8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134656A mov eax, dword ptr fs:[00000030h]	8_2_0134656A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134656A mov eax, dword ptr fs:[00000030h]	8_2_0134656A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134656A mov eax, dword ptr fs:[00000030h]	8_2_0134656A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013345B1 mov eax, dword ptr fs:[00000030h]	8_2_013345B1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013345B1 mov eax, dword ptr fs:[00000030h]	8_2_013345B1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E59C mov eax, dword ptr fs:[00000030h]	8_2_0134E59C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A580 mov ecx, dword ptr fs:[00000030h]	8_2_0130A580
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A580 mov eax, dword ptr fs:[00000030h]	8_2_0130A580
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01312582 mov eax, dword ptr fs:[00000030h]	8_2_01312582
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01312582 mov ecx, dword ptr fs:[00000030h]	8_2_01312582
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01344588 mov eax, dword ptr fs:[00000030h]	8_2_01344588
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013125E0 mov eax, dword ptr fs:[00000030h]	8_2_013125E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h]	8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C5ED mov eax, dword ptr fs:[00000030h]	8_2_0134C5ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C5ED mov eax, dword ptr fs:[00000030h]	8_2_0134C5ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013165D0 mov eax, dword ptr fs:[00000030h]	8_2_013165D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A5D0 mov eax, dword ptr fs:[00000030h]	8_2_0134A5D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A5D0 mov eax, dword ptr fs:[00000030h]	8_2_0134A5D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E5CF mov eax, dword ptr fs:[00000030h]	8_2_0134E5CF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E5CF mov eax, dword ptr fs:[00000030h]	8_2_0134E5CF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A430 mov eax, dword ptr fs:[00000030h]	8_2_0134A430
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130E420 mov eax, dword ptr fs:[00000030h]	8_2_0130E420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130E420 mov eax, dword ptr fs:[00000030h]	8_2_0130E420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130E420 mov eax, dword ptr fs:[00000030h]	8_2_0130E420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130C427 mov eax, dword ptr fs:[00000030h]	8_2_0130C427
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h]	8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h]	8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h]	8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h]	8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h]	8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h]	8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h]	8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132E413 mov eax, dword ptr fs:[00000030h]	8_2_0132E413
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132E413 mov eax, dword ptr fs:[00000030h]	8_2_0132E413
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132E413 mov eax, dword ptr fs:[00000030h]	8_2_0132E413
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01348402 mov eax, dword ptr fs:[00000030h]	8_2_01348402
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01348402 mov eax, dword ptr fs:[00000030h]	8_2_01348402
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01348402 mov eax, dword ptr fs:[00000030h]	8_2_01348402
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133A470 mov eax, dword ptr fs:[00000030h]	8_2_0133A470
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133A470 mov eax, dword ptr fs:[00000030h]	8_2_0133A470
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133A470 mov eax, dword ptr fs:[00000030h]	8_2_0133A470
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139C460 mov ecx, dword ptr fs:[00000030h]	8_2_0139C460
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133245A mov eax, dword ptr fs:[00000030h]	8_2_0133245A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h]	8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h]	8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h]	8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h]	8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h]	8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h]	8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h]	8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h]	8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013444B0 mov ecx, dword ptr fs:[00000030h]	8_2_013444B0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139A4B0 mov eax, dword ptr fs:[00000030h]	8_2_0139A4B0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013064BA mov eax, dword ptr fs:[00000030h]	8_2_013064BA
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013164AB mov eax, dword ptr fs:[00000030h]	8_2_013164AB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316484 mov eax, dword ptr fs:[00000030h]	8_2_01316484
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013104E5 mov ecx, dword ptr fs:[00000030h]	8_2_013104E5
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134273C mov eax, dword ptr fs:[00000030h]	8_2_0134273C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134273C mov ecx, dword ptr fs:[00000030h]	8_2_0134273C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134273C mov eax, dword ptr fs:[00000030h]	8_2_0134273C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138C730 mov eax, dword ptr fs:[00000030h]	8_2_0138C730
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C720 mov eax, dword ptr fs:[00000030h]	8_2_0134C720
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C720 mov eax, dword ptr fs:[00000030h]	8_2_0134C720
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310710 mov eax, dword ptr fs:[00000030h]	8_2_01310710
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01340710 mov eax, dword ptr fs:[00000030h]	8_2_01340710
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C700 mov eax, dword ptr fs:[00000030h]	8_2_0134C700
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318770 mov eax, dword ptr fs:[00000030h]	8_2_01318770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h]	8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310750 mov eax, dword ptr fs:[00000030h]	8_2_01310750
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139E75D mov eax, dword ptr fs:[00000030h]	8_2_0139E75D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01352750 mov eax, dword ptr fs:[00000030h]	8_2_01352750
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01352750 mov eax, dword ptr fs:[00000030h]	8_2_01352750
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394755 mov eax, dword ptr fs:[00000030h]	8_2_01394755
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130A740 mov eax, dword ptr fs:[00000030h]	8_2_0130A740
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134674D mov esi, dword ptr fs:[00000030h]	8_2_0134674D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134674D mov eax, dword ptr fs:[00000030h]	8_2_0134674D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134674D mov eax, dword ptr fs:[00000030h]	8_2_0134674D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013107AF mov eax, dword ptr fs:[00000030h]	8_2_013107AF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C7F0 mov eax, dword ptr fs:[00000030h]	8_2_0134C7F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013147FB mov eax, dword ptr fs:[00000030h]	8_2_013147FB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013147FB mov eax, dword ptr fs:[00000030h]	8_2_013147FB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139E7E1 mov eax, dword ptr fs:[00000030h]	8_2_0139E7E1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013327ED mov eax, dword ptr fs:[00000030h]	8_2_013327ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013327ED mov eax, dword ptr fs:[00000030h]	8_2_013327ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013327ED mov eax, dword ptr fs:[00000030h]	8_2_013327ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131C7C0 mov eax, dword ptr fs:[00000030h]	8_2_0131C7C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013907C3 mov eax, dword ptr fs:[00000030h]	8_2_013907C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01348620 mov eax, dword ptr fs:[00000030h]	8_2_01348620
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01346620 mov eax, dword ptr fs:[00000030h]	8_2_01346620
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132E627 mov eax, dword ptr fs:[00000030h]	8_2_0132E627
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131262C mov eax, dword ptr fs:[00000030h]	8_2_0131262C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01352619 mov eax, dword ptr fs:[00000030h]	8_2_01352619
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E609 mov eax, dword ptr fs:[00000030h]	8_2_0138E609
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01342674 mov eax, dword ptr fs:[00000030h]	8_2_01342674
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A660 mov eax, dword ptr fs:[00000030h]	8_2_0134A660
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A660 mov eax, dword ptr fs:[00000030h]	8_2_0134A660
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132266C mov eax, dword ptr fs:[00000030h]	8_2_0132266C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132C640 mov eax, dword ptr fs:[00000030h]	8_2_0132C640
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013466B0 mov eax, dword ptr fs:[00000030h]	8_2_013466B0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C6A6 mov eax, dword ptr fs:[00000030h]	8_2_0134C6A6
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01314690 mov eax, dword ptr fs:[00000030h]	8_2_01314690
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01314690 mov eax, dword ptr fs:[00000030h]	8_2_01314690
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C68B mov eax, dword ptr fs:[00000030h]	8_2_0134C68B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013906F1 mov eax, dword ptr fs:[00000030h]	8_2_013906F1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013906F1 mov eax, dword ptr fs:[00000030h]	8_2_013906F1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0138E6F2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0138E6F2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0138E6F2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0138E6F2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013226EB mov eax, dword ptr fs:[00000030h]	8_2_013226EB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013226EB mov eax, dword ptr fs:[00000030h]	8_2_013226EB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013226EB mov eax, dword ptr fs:[00000030h]	8_2_013226EB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013226EB mov eax, dword ptr fs:[00000030h]	8_2_013226EB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A6C7 mov ebx, dword ptr fs:[00000030h]	8_2_0134A6C7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A6C7 mov eax, dword ptr fs:[00000030h]	8_2_0134A6C7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139892A mov eax, dword ptr fs:[00000030h]	8_2_0139892A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308918 mov eax, dword ptr fs:[00000030h]	8_2_01308918
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308918 mov eax, dword ptr fs:[00000030h]	8_2_01308918
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139C912 mov eax, dword ptr fs:[00000030h]	8_2_0139C912
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E908 mov eax, dword ptr fs:[00000030h]	8_2_0138E908
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138E908 mov eax, dword ptr fs:[00000030h]	8_2_0138E908
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139C97C mov eax, dword ptr fs:[00000030h]	8_2_0139C97C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01336962 mov eax, dword ptr fs:[00000030h]	8_2_01336962
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01336962 mov eax, dword ptr fs:[00000030h]	8_2_01336962
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01336962 mov eax, dword ptr fs:[00000030h]	8_2_01336962
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0135096E mov eax, dword ptr fs:[00000030h]	8_2_0135096E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0135096E mov edx, dword ptr fs:[00000030h]	8_2_0135096E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0135096E mov eax, dword ptr fs:[00000030h]	8_2_0135096E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A950 mov eax, dword ptr fs:[00000030h]	8_2_0134A950
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01390946 mov eax, dword ptr fs:[00000030h]	8_2_01390946
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013989B3 mov esi, dword ptr fs:[00000030h]	8_2_013989B3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013989B3 mov eax, dword ptr fs:[00000030h]	8_2_013989B3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013989B3 mov eax, dword ptr fs:[00000030h]	8_2_013989B3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h]	8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013109AD mov eax, dword ptr fs:[00000030h]	8_2_013109AD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013109AD mov eax, dword ptr fs:[00000030h]	8_2_013109AD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013429F9 mov eax, dword ptr fs:[00000030h]	8_2_013429F9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013429F9 mov eax, dword ptr fs:[00000030h]	8_2_013429F9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139E9E0 mov eax, dword ptr fs:[00000030h]	8_2_0139E9E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h]	8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h]	8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h]	8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h]	8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h]	8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h]	8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_013449D0 mov eax, dword ptr fs:[00000030h]	8_2_013449D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134A830 mov eax, dword ptr fs:[00000030h]	8_2_0134A830
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h]	8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h]	8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h]	8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01332835 mov ecx, dword ptr fs:[00000030h]	8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h]	8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h]	8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139C810 mov eax, dword ptr fs:[00000030h]	8_2_0139C810
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139E872 mov eax, dword ptr fs:[00000030h]	8_2_0139E872
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139E872 mov eax, dword ptr fs:[00000030h]	8_2_0139E872
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01340854 mov eax, dword ptr fs:[00000030h]	8_2_01340854
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01314859 mov eax, dword ptr fs:[00000030h]	8_2_01314859
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01314859 mov eax, dword ptr fs:[00000030h]	8_2_01314859
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01322840 mov ecx, dword ptr fs:[00000030h]	8_2_01322840
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139C89D mov eax, dword ptr fs:[00000030h]	8_2_0139C89D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310887 mov eax, dword ptr fs:[00000030h]	8_2_01310887
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C8F9 mov eax, dword ptr fs:[00000030h]	8_2_0134C8F9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134C8F9 mov eax, dword ptr fs:[00000030h]	8_2_0134C8F9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133E8C0 mov eax, dword ptr fs:[00000030h]	8_2_0133E8C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133EB20 mov eax, dword ptr fs:[00000030h]	8_2_0133EB20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133EB20 mov eax, dword ptr fs:[00000030h]	8_2_0133EB20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h]	8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01322B79 mov eax, dword ptr fs:[00000030h]	8_2_01322B79
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01322B79 mov eax, dword ptr fs:[00000030h]	8_2_01322B79
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01322B79 mov eax, dword ptr fs:[00000030h]	8_2_01322B79
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CB7E mov eax, dword ptr fs:[00000030h]	8_2_0130CB7E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308B50 mov eax, dword ptr fs:[00000030h]	8_2_01308B50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320BBE mov eax, dword ptr fs:[00000030h]	8_2_01320BBE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320BBE mov eax, dword ptr fs:[00000030h]	8_2_01320BBE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318BF0 mov eax, dword ptr fs:[00000030h]	8_2_01318BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318BF0 mov eax, dword ptr fs:[00000030h]	8_2_01318BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318BF0 mov eax, dword ptr fs:[00000030h]	8_2_01318BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01348BF0 mov ecx, dword ptr fs:[00000030h]	8_2_01348BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01348BF0 mov eax, dword ptr fs:[00000030h]	8_2_01348BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01348BF0 mov eax, dword ptr fs:[00000030h]	8_2_01348BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139CBF0 mov eax, dword ptr fs:[00000030h]	8_2_0139CBF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310BCD mov eax, dword ptr fs:[00000030h]	8_2_01310BCD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310BCD mov eax, dword ptr fs:[00000030h]	8_2_01310BCD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310BCD mov eax, dword ptr fs:[00000030h]	8_2_01310BCD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01334A35 mov eax, dword ptr fs:[00000030h]	8_2_01334A35
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01334A35 mov eax, dword ptr fs:[00000030h]	8_2_01334A35
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CA38 mov eax, dword ptr fs:[00000030h]	8_2_0134CA38
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CA24 mov eax, dword ptr fs:[00000030h]	8_2_0134CA24
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0139CA11 mov eax, dword ptr fs:[00000030h]	8_2_0139CA11
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308A00 mov eax, dword ptr fs:[00000030h]	8_2_01308A00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308A00 mov eax, dword ptr fs:[00000030h]	8_2_01308A00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138CA72 mov eax, dword ptr fs:[00000030h]	8_2_0138CA72
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138CA72 mov eax, dword ptr fs:[00000030h]	8_2_0138CA72
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CA6F mov eax, dword ptr fs:[00000030h]	8_2_0134CA6F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CA6F mov eax, dword ptr fs:[00000030h]	8_2_0134CA6F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CA6F mov eax, dword ptr fs:[00000030h]	8_2_0134CA6F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h]	8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h]	8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h]	8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h]	8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h]	8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h]	8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h]	8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01340A50 mov eax, dword ptr fs:[00000030h]	8_2_01340A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320A5B mov eax, dword ptr fs:[00000030h]	8_2_01320A5B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320A5B mov eax, dword ptr fs:[00000030h]	8_2_01320A5B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133EA5D mov eax, dword ptr fs:[00000030h]	8_2_0133EA5D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318AA0 mov eax, dword ptr fs:[00000030h]	8_2_01318AA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318AA0 mov eax, dword ptr fs:[00000030h]	8_2_01318AA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01366AA4 mov eax, dword ptr fs:[00000030h]	8_2_01366AA4
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01348A90 mov edx, dword ptr fs:[00000030h]	8_2_01348A90
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130EA80 mov eax, dword ptr fs:[00000030h]	8_2_0130EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130EA80 mov eax, dword ptr fs:[00000030h]	8_2_0130EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h]	8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134AAEE mov eax, dword ptr fs:[00000030h]	8_2_0134AAEE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134AAEE mov eax, dword ptr fs:[00000030h]	8_2_0134AAEE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310AD0 mov eax, dword ptr fs:[00000030h]	8_2_01310AD0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01344AD0 mov eax, dword ptr fs:[00000030h]	8_2_01344AD0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01344AD0 mov eax, dword ptr fs:[00000030h]	8_2_01344AD0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01366ACC mov eax, dword ptr fs:[00000030h]	8_2_01366ACC
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01366ACC mov eax, dword ptr fs:[00000030h]	8_2_01366ACC
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01366ACC mov eax, dword ptr fs:[00000030h]	8_2_01366ACC
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133ED25 mov eax, dword ptr fs:[00000030h]	8_2_0133ED25
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133ED25 mov eax, dword ptr fs:[00000030h]	8_2_0133ED25
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133ED25 mov eax, dword ptr fs:[00000030h]	8_2_0133ED25
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01398D20 mov eax, dword ptr fs:[00000030h]	8_2_01398D20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01306D10 mov eax, dword ptr fs:[00000030h]	8_2_01306D10
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01306D10 mov eax, dword ptr fs:[00000030h]	8_2_01306D10
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01306D10 mov eax, dword ptr fs:[00000030h]	8_2_01306D10
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01344D1D mov eax, dword ptr fs:[00000030h]	8_2_01344D1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132AD00 mov eax, dword ptr fs:[00000030h]	8_2_0132AD00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132AD00 mov eax, dword ptr fs:[00000030h]	8_2_0132AD00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0132AD00 mov eax, dword ptr fs:[00000030h]	8_2_0132AD00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310D59 mov eax, dword ptr fs:[00000030h]	8_2_01310D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310D59 mov eax, dword ptr fs:[00000030h]	8_2_01310D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01310D59 mov eax, dword ptr fs:[00000030h]	8_2_01310D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h]	8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h]	8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h]	8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h]	8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h]	8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CDB1 mov ecx, dword ptr fs:[00000030h]	8_2_0134CDB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CDB1 mov eax, dword ptr fs:[00000030h]	8_2_0134CDB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CDB1 mov eax, dword ptr fs:[00000030h]	8_2_0134CDB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01338DBF mov eax, dword ptr fs:[00000030h]	8_2_01338DBF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01338DBF mov eax, dword ptr fs:[00000030h]	8_2_01338DBF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01346DA0 mov eax, dword ptr fs:[00000030h]	8_2_01346DA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133CDF0 mov eax, dword ptr fs:[00000030h]	8_2_0133CDF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133CDF0 mov ecx, dword ptr fs:[00000030h]	8_2_0133CDF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h]	8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h]	8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h]	8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h]	8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h]	8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h]	8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01330DE1 mov eax, dword ptr fs:[00000030h]	8_2_01330DE1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CDEA mov eax, dword ptr fs:[00000030h]	8_2_0130CDEA
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CDEA mov eax, dword ptr fs:[00000030h]	8_2_0130CDEA
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133EDD3 mov eax, dword ptr fs:[00000030h]	8_2_0133EDD3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133EDD3 mov eax, dword ptr fs:[00000030h]	8_2_0133EDD3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394DD7 mov eax, dword ptr fs:[00000030h]	8_2_01394DD7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394DD7 mov eax, dword ptr fs:[00000030h]	8_2_01394DD7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130EC20 mov eax, dword ptr fs:[00000030h]	8_2_0130EC20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320C00 mov eax, dword ptr fs:[00000030h]	8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320C00 mov eax, dword ptr fs:[00000030h]	8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320C00 mov eax, dword ptr fs:[00000030h]	8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01320C00 mov eax, dword ptr fs:[00000030h]	8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CC00 mov eax, dword ptr fs:[00000030h]	8_2_0134CC00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394C0F mov eax, dword ptr fs:[00000030h]	8_2_01394C0F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h]	8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h]	8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h]	8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h]	8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h]	8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h]	8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316C50 mov eax, dword ptr fs:[00000030h]	8_2_01316C50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316C50 mov eax, dword ptr fs:[00000030h]	8_2_01316C50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01316C50 mov eax, dword ptr fs:[00000030h]	8_2_01316C50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01344C59 mov eax, dword ptr fs:[00000030h]	8_2_01344C59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01330C44 mov eax, dword ptr fs:[00000030h]	8_2_01330C44
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01330C44 mov eax, dword ptr fs:[00000030h]	8_2_01330C44
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01338CB1 mov eax, dword ptr fs:[00000030h]	8_2_01338CB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01338CB1 mov eax, dword ptr fs:[00000030h]	8_2_01338CB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138CCA0 mov ecx, dword ptr fs:[00000030h]	8_2_0138CCA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138CCA0 mov eax, dword ptr fs:[00000030h]	8_2_0138CCA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138CCA0 mov eax, dword ptr fs:[00000030h]	8_2_0138CCA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0138CCA0 mov eax, dword ptr fs:[00000030h]	8_2_0138CCA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308C8D mov eax, dword ptr fs:[00000030h]	8_2_01308C8D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01342CF0 mov eax, dword ptr fs:[00000030h]	8_2_01342CF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01342CF0 mov eax, dword ptr fs:[00000030h]	8_2_01342CF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01342CF0 mov eax, dword ptr fs:[00000030h]	8_2_01342CF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01342CF0 mov eax, dword ptr fs:[00000030h]	8_2_01342CF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308CD0 mov eax, dword ptr fs:[00000030h]	8_2_01308CD0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CCC8 mov eax, dword ptr fs:[00000030h]	8_2_0130CCC8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133EF28 mov eax, dword ptr fs:[00000030h]	8_2_0133EF28
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01312F12 mov eax, dword ptr fs:[00000030h]	8_2_01312F12
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CF1F mov eax, dword ptr fs:[00000030h]	8_2_0134CF1F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01354F03 mov eax, dword ptr fs:[00000030h]	8_2_01354F03
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01346F60 mov eax, dword ptr fs:[00000030h]	8_2_01346F60
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01346F60 mov eax, dword ptr fs:[00000030h]	8_2_01346F60
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133AF69 mov eax, dword ptr fs:[00000030h]	8_2_0133AF69
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0133AF69 mov eax, dword ptr fs:[00000030h]	8_2_0133AF69
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h]	8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h]	8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h]	8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h]	8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h]	8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h]	8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CF50 mov eax, dword ptr fs:[00000030h]	8_2_0134CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394F40 mov eax, dword ptr fs:[00000030h]	8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394F40 mov eax, dword ptr fs:[00000030h]	8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394F40 mov eax, dword ptr fs:[00000030h]	8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01394F40 mov eax, dword ptr fs:[00000030h]	8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01342F98 mov eax, dword ptr fs:[00000030h]	8_2_01342F98
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01342F98 mov eax, dword ptr fs:[00000030h]	8_2_01342F98
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0134CF80 mov eax, dword ptr fs:[00000030h]	8_2_0134CF80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_0131EF8D mov eax, dword ptr fs:[00000030h]	8_2_0131EF8D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308FF0 mov ecx, dword ptr fs:[00000030h]	8_2_01308FF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Code function: 8_2_01308FF0 mov eax, dword ptr fs:[00000030h]	8_2_01308FF0

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe"
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Memory written: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Memory written: C:\Users\user\AppData\Roaming\YDKFDa.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Process created: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Process created: C:\Users\user\AppData\Roaming\YDKFDa.exe "C:\Users\user\AppData\Roaming\YDKFDa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Queries volume information: C:\Users\user\AppData\Roaming\YDKFDa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 13.2.YDKFDa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.YDKFDa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 13.2.YDKFDa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.YDKFDa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
z2PaymentAdviceD00772795264733.exe	34%	ReversingLabs
z2PaymentAdviceD00772795264733.exe	32%	Virustotal	Browse
z2PaymentAdviceD00772795264733.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\YDKFDa.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\YDKFDa.exe	34%	ReversingLabs
C:\Users\user\AppData\Roaming\YDKFDa.exe	32%	Virustotal	Browse

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet2.xsdM	z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr	false	high
http://www.tiro.com	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.19.dr	false	high
http://www.fontbureau.com/designers	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet.xsd	z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr	false	high
http://www.sajatypeworks.com	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet1.xsd	z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr	false	high
http://www.founder.com.cn/cn	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1737008129.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp, YDKFDa.exe, 00000009.00000002.1972590732.00000000027CA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559924
Start date and time:	2024-11-21 07:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z2PaymentAdviceD00772795264733.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/20@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 121 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:01:56	API Interceptor	2x Sleep call for process: z2PaymentAdviceD00772795264733.exe modified
01:01:59	API Interceptor	41x Sleep call for process: powershell.exe modified
01:02:02	API Interceptor	5x Sleep call for process: YDKFDa.exe modified
01:02:47	API Interceptor	1x Sleep call for process: WerFault.exe modified
06:01:59	Task Scheduler	Run new task: YDKFDa path: C:\Users\user\AppData\Roaming\YDKFDa.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_z2PaymentAdviceD_164c51a5d229aa518dd17c3de4a35bd70dfff2c_68d82f61_79e08b0e-ca07-4f91-a818-252224a5049e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6553517202074195
Encrypted:	false
SSDEEP:	96:dYF3qZvooOs5hJ77kfhQXIDcQvc6QcEVcw3cE/v+HbHsZAX/d5FMT2SlPkpXmTAe:mcZvooOY0BU/ojlzuiFUZ24IO8Xg
MD5:	03A36D8CDB348696FF47263C26E74636
SHA1:	EF4CFF609C8EC95CFEE2BB79DA2E7E80552D6814
SHA-256:	633012522D93B3B28851B4D59B934F9C1AF686F9C43F91304DD62E1A0DC66868
SHA-512:	A9731D65C77E134C2F4B995D991DE511BEDC00B6CB9F3102D42DCA961443387D5BC37C3867A34D1C2947AD3C8CC2C27F97283661441BE47DAE9FE226B547C124
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.6.4.2.5.4.6.5.8.9.9.1.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.6.4.2.5.4.6.9.4.9.2.9.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.e.0.8.b.0.e.-.c.a.0.7.-.4.f.9.1.-.a.8.1.8.-.2.5.2.2.2.4.a.5.0.4.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.f.4.0.7.a.5.-.b.4.c.0.-.4.3.1.f.-.a.8.b.5.-.f.8.b.b.e.e.c.4.4.1.c.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.2.P.a.y.m.e.n.t.A.d.v.i.c.e.D.0.0.7.7.2.7.9.5.2.6.4.7.3.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.u.t.q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.3.8.-.0.0.0.1.-.0.0.1.4.-.d.4.e.5.-.2.6.e.0.d.a.3.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.4.3.b.6.d.5.2.2.d.9.2.5.8.c.4.e.3.a.4.9.d.7.8.1.9.5.e.3.d.c.b.0.0.0.0.0.0.0.0.!.0.0.0.0.8.a.b.3.2.7.f.9.a.a.4.9.5.f.7.b.c.5.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD37F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Nov 21 06:02:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	24126
Entropy (8bit):	1.7982552614875578
Encrypted:	false
SSDEEP:	96:528W4z66IRdPki7NpkayMECcmbmymims2lmlXl/6yESlHWWIkWIXzIxScU:HSp8OnELmbmymimsCS1vEG6Sc
MD5:	7CBB70F76D468432E8459CC81FDCEAD9
SHA1:	3DE0D23577EB16E7FB05BA882163593831FB2767
SHA-256:	4040862506EBA723ACE98EE55584941D03A9CA3776585DFA98BA11C858A3B3B0
SHA-512:	4E32A788CB9E7B32B128B00D30B5C53872B0D02D15023EB343E5D98BEBD62E2D516EFCE3A1DD6CFBFB1CD5863104B008EBDEC0474D1DAB256B9F0D52731ECC06
Malicious:	false
Preview:	MDMP..a..... .........>g............4...............<.......d...............T.......8...........T...........0....V......................................................................................................eJ......L.......GenuineIntel............T.......8.....>g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3DD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6408
Entropy (8bit):	3.7224507203264467
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbYVl6NrL3oYAQE/m+tt5aM4UB89b9Esf9/m:R6l7wVeJYv6NgYANprB89b9Esf9/m
MD5:	E59C6435C2622F941812BC27C2C1145A
SHA1:	4B304EEA09298A26EC88DBE404634B5057E20323
SHA-256:	D4587F5FFD27E92A59123F72F17C631F0B1B86D5F61C794ED9A18A60B8CA85C8
SHA-512:	F11C53A430F259EB860BAA7BD52325F97B4290887BFFEE8F70067921BC1D29270B2A9538823C94AFB22F328CF6D538B10669B2648B31E42A1953CCCCB7DBEBF7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD40D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4778
Entropy (8bit):	4.519648506705101
Encrypted:	false
SSDEEP:	48:cvIwWl8zseJg77aI96tWpW8VYHiYm8M4JitFDp+q8YUUjaNYkzAMc58d:uIjfUI78c7VgLJiZ+ylMc58d
MD5:	AD371069952AAAC2509BD8A227086F00
SHA1:	9998D4991E595364D985DED27409E6CC97FD309F
SHA-256:	D1A7DF5D1ED5078C996A943A7F0597AB8A40B54CE231770F0A32060F9C73E890
SHA-512:	DF33C3BE73E690D73DD5A14D6635FAC1222B2100ED9280B4CACDA9DF55A8EA67762648CBD91FCB5E913514C691BB5E1E028FD590DFAAD6D67DD1029276A93360
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="597425" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YDKFDa.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\YDKFDa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z2PaymentAdviceD00772795264733.exe.log

Download File

Process:	C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCsIfA2KRHmOugw1s
MD5:	3E5712DC6AFCA8CF60C5CB8BE65E2089
SHA1:	CDBAF3935912EFB05DBE58CA89C5422F07B528A0
SHA-256:	B9F7E5F0AFD718D8585A8B37DD8C459ECDD4E7E68C5FE61631D89CDD3E229833
SHA-512:	1BD81033EB26CD0EE3DEF6F02FECB4097D878D61CAA5BEF6739C51E889B99C9E695BECF51719959D33F7BA9838E202ADD7EE4DD704D5163B584F4E8B8B7ECC38
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10jtw2tl.eau.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3j4yt0gt.tnp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gsnvkha.2o3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bj43j0zf.ymy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljsnq2wn.jtt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdv1ryt4.f03.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t45vent5.t15.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxlrcx5r.fbs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpB018.tmp

Download File

Process:	C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.114166306870364
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT/v
MD5:	9C573769616864D8C3B2D741692725B1
SHA1:	C2CD2E0B55DDB1B84C56DA1754D5BF65405205F0
SHA-256:	648F1B01AFD9872FEF8A620211EB7AC189F827F84F84461D90E0D5949EF2D2F5
SHA-512:	FD7327D9F9FA0C147A299D26ACD00B54ECF3CC7E3022E82496F428419AF0B1250EED324F33D46C7FDF3643F63DDCA86B519741D387D559A09A4F5FD1B97199E6
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpCA38.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\YDKFDa.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.114166306870364
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT/v
MD5:	9C573769616864D8C3B2D741692725B1
SHA1:	C2CD2E0B55DDB1B84C56DA1754D5BF65405205F0
SHA-256:	648F1B01AFD9872FEF8A620211EB7AC189F827F84F84461D90E0D5949EF2D2F5
SHA-512:	FD7327D9F9FA0C147A299D26ACD00B54ECF3CC7E3022E82496F428419AF0B1250EED324F33D46C7FDF3643F63DDCA86B519741D387D559A09A4F5FD1B97199E6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\YDKFDa.exe

Download File

Process:	C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1025024
Entropy (8bit):	7.557398511846111
Encrypted:	false
SSDEEP:	12288:ocsCELA+12Hd5lpvS36pDfi/xN3xIwHzufVzxWWgYR5rEZSkRTIgKlFWRXF2wxSX:czuNzxWEH4JR8Bk2whho5S3CBUB6NA
MD5:	BB600D9F9B2C015C5DCEC1E1A02684BC
SHA1:	8AB327F9AA495F7BC5B2E6101C1152463BEDC24A
SHA-256:	8DD1167EF29A5C350FD3004DA6A685CF48C6C587DAC25FC4786F9FD90284B5B1
SHA-512:	41C1CD58200AA7B1629B9D8161FFEE6DBF6704C539F60A3EF184C0306939DEA9C743F5B5D13D41A2442A573F9D480A9A18CF476E5657DFE1E86ECEEBD12C1977
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 32%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0..z...(......>.... ........@.. ....................................@....................................O........%........................................................................... ............... ..H............text...Dy... ...z.................. ..`.rsrc....%.......&...\|..............@..@.reloc..............................@..B................ .......H............3..........tJ..xN............................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."

C:\Users\user\AppData\Roaming\YDKFDa.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465731963241889
Encrypted:	false
SSDEEP:	6144:wIXfpi67eLPU9skLmb0b4PWSPKaJG8nAgejZMMhA2gX4WABl0uNbdwBCswSb0:VXD94PWlLZMM6YFHN+0
MD5:	DEC3FEE9E14FE2AB406073DA901516B6
SHA1:	C141A24AF05A5DC21115C70B9D77F11899E0081B
SHA-256:	C2AE59EABF0299C295575E6D2D144D428727BE3711878EB67EABEB99A82A3611
SHA-512:	6AC80722481173A91B3892F3D3BE143D66CE8F8D368A64F4E8B598A2B5CF3E01FC32330BA21DCDC9BE0924222002A78BD43B001FE91BB3A3E296A7B4744D162C
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....;..............................................................................................................................................................................................................................................................................................................................................~...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.557398511846111
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	z2PaymentAdviceD00772795264733.exe
File size:	1'025'024 bytes
MD5:	bb600d9f9b2c015c5dcec1e1a02684bc
SHA1:	8ab327f9aa495f7bc5b2e6101c1152463bedc24a
SHA256:	8dd1167ef29a5c350fd3004da6a685cf48c6c587dac25fc4786f9fd90284b5b1
SHA512:	41c1cd58200aa7b1629b9d8161ffee6dbf6704c539f60a3ef184c0306939dea9c743f5b5d13d41a2442a573f9d480a9a18cf476e5657dfe1e86eceebd12c1977
SSDEEP:	12288:ocsCELA+12Hd5lpvS36pDfi/xN3xIwHzufVzxWWgYR5rEZSkRTIgKlFWRXF2wxSX:czuNzxWEH4JR8Bk2whho5S3CBUB6NA
TLSH:	8A25BF20B7F89D67E27AB0F3EB84424097B6D541767BE7AA4CC564CE25C27320783927
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0..z...(......>.... ........@.. ....................................@................................

File Icon


Icon Hash:	130b253d1931012d

Static PE Info

General

Entrypoint:	0x4f993e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673E8F8E [Thu Nov 21 01:40:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf98ec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfa000	0x2588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf7944	0xf7a00	4a0ca8c3d5749cb302c7268dc1a47714	False	0.7485743469207471	data	7.559709019658348	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xfa000	0x2588	0x2600	f15a893fcc34638ca78bdeb9fdf8d81a	False	0.8751027960526315	data	7.577242487385272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfe000	0xc	0x200	5d8ca4a51595796b78b5daad790a9469	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xfa100	0x2016	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9504504504504504
RT_GROUP_ICON	0xfc128	0x14	data	1.05
RT_VERSION	0xfc14c	0x23c	data	0.46853146853146854
RT_MANIFEST	0xfc398	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	01:01:55
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Imagebase:	0x4e0000
File size:	1'025'024 bytes
MD5 hash:	BB600D9F9B2C015C5DCEC1E1A02684BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:01:57
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Imagebase:	0x1c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:01:57
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:01:58
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe"
Imagebase:	0x1c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:01:58
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:01:58
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp"
Imagebase:	0xdc0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:01:58
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:01:58
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Imagebase:	0x800000
File size:	1'025'024 bytes
MD5 hash:	BB600D9F9B2C015C5DCEC1E1A02684BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:01:59
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\YDKFDa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\YDKFDa.exe
Imagebase:	0x360000
File size:	1'025'024 bytes
MD5 hash:	BB600D9F9B2C015C5DCEC1E1A02684BC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs Detection: 32%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:02:01
Start date:	21/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:02:05
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp"
Imagebase:	0xdc0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:02:05
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:02:06
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\YDKFDa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\YDKFDa.exe"
Imagebase:	0xf50000
File size:	1'025'024 bytes
MD5 hash:	BB600D9F9B2C015C5DCEC1E1A02684BC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:02:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 196
Imagebase:	0xcd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.5%
Total number of Nodes:	228
Total number of Limit Nodes:	9

Executed Functions

Function 070BCC50 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16ae57c74173a80f9e4a17ae08cea55e8ff8bf39f77374944b6930c6c1e06b9
Instruction ID: 1e1a423b5eef10631b9e6b76ef9560e5351cdd6a8ffa8aaa22385f8ab60ffee8
Opcode Fuzzy Hash: c16ae57c74173a80f9e4a17ae08cea55e8ff8bf39f77374944b6930c6c1e06b9
Instruction Fuzzy Hash: F4C1CBB07006018FEB29DB75C4207AFB7F6AF8A300F144569E146DB291CB39EA05CB62

Function 070BAE40 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b928384c0dfb7b05e80513292d7686e7ef4b2893a000787009bffe2a80278266
Instruction ID: f9e3447225db6cd00bdf80b96bd0c3dcff943fbfaf962da0b8158a5f74fedd0b
Opcode Fuzzy Hash: b928384c0dfb7b05e80513292d7686e7ef4b2893a000787009bffe2a80278266
Instruction Fuzzy Hash: E861F7B1E55229CBDB64CF66C8407EDFBB6BF89300F14C2AAD51DA6250EB705A85CF40

Function 070BB7BF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d03579ea7dd75e413df55a705fb81fe25ea259d09721493a2e666056637faaf
Instruction ID: dfe92bd69245af865bbf7fa0c644def4f1518793e3799ab9937301ada21f8d52
Opcode Fuzzy Hash: 2d03579ea7dd75e413df55a705fb81fe25ea259d09721493a2e666056637faaf
Instruction Fuzzy Hash: F9A002E0C7D110CFC5250D14E1099FCF53D931F262F407300B13FB30525624D250999D

Function 070B7B75 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070B7DB6

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5a6d9f143611dae9ccf5074b6d3da462e6772111a60d06fbfc8b32473bbe3797
Instruction ID: 7570d2bc2a4609383d1cca85815fe9510c98d640f5899f926c492ff14f7edf19
Opcode Fuzzy Hash: 5a6d9f143611dae9ccf5074b6d3da462e6772111a60d06fbfc8b32473bbe3797
Instruction Fuzzy Hash: 93A15FB1D00219DFDB24CFA8C8417EDBBF2BF89314F1482AAD859A7250D7749A85CF91

Function 070B7B80 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070B7DB6

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8b420518203787a8ea990e68a2952c4ddf79d295807f0280f54b7c4221006011
Instruction ID: 7288b475c6091da8efb70fc6ea5bf0007ecedb03eefe6bb7aac08af4f6b62b45
Opcode Fuzzy Hash: 8b420518203787a8ea990e68a2952c4ddf79d295807f0280f54b7c4221006011
Instruction Fuzzy Hash: E8914FB1D00219DFDB24CFA8C8417EDBBF6BF88314F14826AD819A7254D7749A85CF91

Function 00FAAD08 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FAAF5E

Memory Dump Source

Source File: 00000000.00000002.1734892304.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 903c9ef22ac7809db070c0baab6bb45fcb7ea14faacaaaf9b5dd9ff2bb8a1705
Instruction ID: 0fed97d14011953f168c7455877143461317a9e13c933b9c83a060cb9aaf8438
Opcode Fuzzy Hash: 903c9ef22ac7809db070c0baab6bb45fcb7ea14faacaaaf9b5dd9ff2bb8a1705
Instruction Fuzzy Hash: F58168B0A00B058FDB24DF2AC44175ABBF5FF89314F008A2DD496DBA50D775E949CB91

Function 00FA58EC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FA59A9

Memory Dump Source

Source File: 00000000.00000002.1734892304.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cab69b6733bd620883ccec01187ab5c727260374d1c84e4d7c7976edb77accd1
Instruction ID: 7ce9d79fa8fc7478c6e9a3843b8fce40a280c4e9ff0aff89948440c392ce7bce
Opcode Fuzzy Hash: cab69b6733bd620883ccec01187ab5c727260374d1c84e4d7c7976edb77accd1
Instruction Fuzzy Hash: C241FFB0D00619CFDB24DFA9C884BCEBBB5BF49704F20816AD408AB251DB756986CF90

Function 00FA44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FA59A9

Memory Dump Source

Source File: 00000000.00000002.1734892304.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b5602d8f5cb7e38f3dbfa404f4a96bc0d1bc43872ff6243030f163942d7b5ec3
Instruction ID: 411ca12e35ea16d77012ca2cdb299935288856cadde38284098db47feb9c5844
Opcode Fuzzy Hash: b5602d8f5cb7e38f3dbfa404f4a96bc0d1bc43872ff6243030f163942d7b5ec3
Instruction Fuzzy Hash: 0041DFB0D00719CFDB24DFA9C884B8EBBF5BF49704F20816AD418AB255DB756989CF90

Function 070B78F1 Relevance: 1.6, APIs: 1, Instructions: 77
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070B7988

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5902b5bf6fff3ad2886b76cc4f66d5eab191cd2568193f390b72128292b4f627
Instruction ID: 97bff90569d7a105f45da7f34db2beba24f6aeaba17dd2a00e06b1243d9c9159
Opcode Fuzzy Hash: 5902b5bf6fff3ad2886b76cc4f66d5eab191cd2568193f390b72128292b4f627
Instruction Fuzzy Hash: AB3167B2900359DFCB10CFA9C884BDEBBF5EF48310F10842AE958A7241C7799945CBA4

Function 070B79E0 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070B7A68

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 93bb76885bb39f502c2a134e4ea35ea8333c8583c72b6340e15a24b6094fa23f
Instruction ID: 43fef37c5125eb365b2df76df06ff1f7e697ad33af6940d7d1845582487a798c
Opcode Fuzzy Hash: 93bb76885bb39f502c2a134e4ea35ea8333c8583c72b6340e15a24b6094fa23f
Instruction Fuzzy Hash: F52148B1900359DFDB10CFA9C8857EEBBF5FF48320F10842AE558A7251C7799945CBA4

Function 070B7320 Relevance: 1.6, APIs: 1, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070B73A6

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 73ebc86d9f5a6041afbd2bd683abf255b404904ab0c5e8ac105249d2942d1435
Instruction ID: ac8c125b72391e9d9e4394fe8d4c7b13e0fceda512fac2c40b4f8f6a949be3aa
Opcode Fuzzy Hash: 73ebc86d9f5a6041afbd2bd683abf255b404904ab0c5e8ac105249d2942d1435
Instruction Fuzzy Hash: 172139B19002498FDB10DFA9C4457EEBBF5EF88324F24842AD855A7241C7789949CBA4

Function 00FAD5E8 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FAD5B6,?,?,?,?,?), ref: 00FAD677

Memory Dump Source

Source File: 00000000.00000002.1734892304.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 053cd3303eb2be495f0be4569871f95c18dc051a262ad2597dae14e3cc78cb07
Instruction ID: b8536b903c0433f2b9c0f3d7522f23fadb117ce3507b61675af0e420a9d11e19
Opcode Fuzzy Hash: 053cd3303eb2be495f0be4569871f95c18dc051a262ad2597dae14e3cc78cb07
Instruction Fuzzy Hash: E93137B58002499FDB10CFA9D544ADEFFF4EB49320F14815AE958A7351C378A941DFA4

Function 070B78F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070B7988

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e611aac4d1cc7579074efd54107d632262a58523d50505691dc5d19d3f7db025
Instruction ID: 10447c82597d18b3fc5c63ebde84769ba18a4e52535d413a5b2ee9910f2862ad
Opcode Fuzzy Hash: e611aac4d1cc7579074efd54107d632262a58523d50505691dc5d19d3f7db025
Instruction Fuzzy Hash: B02157B1900319DFDB10CFA9C881BDEBBF5FF48310F10842AE959A7250C7789944CBA4

Function 00FAD1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FAD5B6,?,?,?,?,?), ref: 00FAD677

Memory Dump Source

Source File: 00000000.00000002.1734892304.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 71a1bae0b194d11d3a47eb6504459a59bbd9b965e2ca29cee03ac9dfb2350a3a
Instruction ID: 553d1b787d703dbd427789b143e31497557dbdef9ce8c1e0bb842029f13cd94f
Opcode Fuzzy Hash: 71a1bae0b194d11d3a47eb6504459a59bbd9b965e2ca29cee03ac9dfb2350a3a
Instruction Fuzzy Hash: F921E4B5D00248DFDB10CF9AD584ADEFBF4EB48324F14801AE919A7351D378A950DFA4

Function 070B7328 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070B73A6

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9170f26407b72b3e93a4d1c449827365b505ad1f711421d1a8ec49d945412f93
Instruction ID: fabb507ad2785d19c3a87595f2042ab39f288f987e9e5e705ee0e8c330c69823
Opcode Fuzzy Hash: 9170f26407b72b3e93a4d1c449827365b505ad1f711421d1a8ec49d945412f93
Instruction Fuzzy Hash: 052118B19003098FDB10DFAAC4857EEBBF5EF88324F14842AD859A7251D7789944CFA5

Function 070B79E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070B7A68

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e8efd6336abc4621c178d8a244e6b0e3284cae4a929b5d6c27cb051044079a35
Instruction ID: f0e0d7a6615153fd1d37ffa00661de63803fd2f295dd071e3f6f1780c5fb7d44
Opcode Fuzzy Hash: e8efd6336abc4621c178d8a244e6b0e3284cae4a929b5d6c27cb051044079a35
Instruction Fuzzy Hash: AC2139B18003599FDB10DFAAC841BEEFBF5FF88320F10842AE559A7250C7389944CBA4

Function 070B7830 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070B78A6

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1a55e037f1845f5731829c5c8c8aa345bb0485154ab5d38f261aea09af19515b
Instruction ID: c0c2cc6950672f2b0d4d49d8dde61494f65407926f7e15da5f6c4991985162a0
Opcode Fuzzy Hash: 1a55e037f1845f5731829c5c8c8aa345bb0485154ab5d38f261aea09af19515b
Instruction Fuzzy Hash: 5D2188B2904249DFCB20DFA9C845AEEBFF5EF88320F24881AE555A7251C7359954CBA0

Function 070B7272 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070B72DA

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1fbf1f7e451cb2922d3165bdeedeb8bcc79b6a74d6166a582007473b5efc358e
Instruction ID: ec84a37472e583be5ba9a55c5273c45215a858fee6ec27f094b3918eec3dad1e
Opcode Fuzzy Hash: 1fbf1f7e451cb2922d3165bdeedeb8bcc79b6a74d6166a582007473b5efc358e
Instruction Fuzzy Hash: D511ACB18043898FCB20DFA9C4457EEFFF4EF88320F24845AD059A7251C7386944CB94

Function 070B7838 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070B78A6

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e96987a2d652853c432f66c9e5651aa9f7e1e8a50fb0ae116a7e520098d61434
Instruction ID: 54017480b814cae3e825b7e73ef6bd11a77a57fccbca683f9674f79754814461
Opcode Fuzzy Hash: e96987a2d652853c432f66c9e5651aa9f7e1e8a50fb0ae116a7e520098d61434
Instruction Fuzzy Hash: 7C1167B28002499FDB20DFAAC845BDEBFF5EF88320F10881AE555A7250C735A940CFA0

Function 070BBFE0 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070BC045

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 924b194f4fde7a50139bfc6338f3d5d359e81a66b556e90eee95859046a3adea
Instruction ID: 003ed6fcff0178980f09ffb3439c1cfc97a2f13d935d17de469722469d731140
Opcode Fuzzy Hash: 924b194f4fde7a50139bfc6338f3d5d359e81a66b556e90eee95859046a3adea
Instruction Fuzzy Hash: 6B1146B18043899FEB10CF99C445BDEFFF8EB08324F208819D554A7240C379A540CFA4

Function 070B7278 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070B72DA

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cdbab5db31ca1894f46055cd4645eaa26ea739beef6d56174e655a80f5014e78
Instruction ID: b1b6419db73f2cc73877cbfb7519b61eb06ce40d262339cc714098cfec512adc
Opcode Fuzzy Hash: cdbab5db31ca1894f46055cd4645eaa26ea739beef6d56174e655a80f5014e78
Instruction Fuzzy Hash: 73113AB19003498FDB20DFAAC4457DEFBF5EB88324F20842AD459A7250CB79A544CFA4

Function 070B6448 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070BC045

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c999b672a823f700bdbb5bd5c2360f52de94a8cb0995aa0610a68b90abe4ca7f
Instruction ID: 8c62a7a2c7bcd4e4b839d1f0a66125206bb1e2673865473c407ad7d642ada3b8
Opcode Fuzzy Hash: c999b672a823f700bdbb5bd5c2360f52de94a8cb0995aa0610a68b90abe4ca7f
Instruction Fuzzy Hash: EE11F5B58003499FDB20DF99C445BDEBBF8EB48314F10841AE554A7250C375A944CFA5

Function 00FAAEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FAAF5E

Memory Dump Source

Source File: 00000000.00000002.1734892304.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fb044359faeb50037fe3e4afad356ece26f8fdcb7a547d019fbef247241773fe
Instruction ID: 88b88d8becd313d7a47ae2d17a1aa189dc50517f5e85d9c571f7c581e4bf5283
Opcode Fuzzy Hash: fb044359faeb50037fe3e4afad356ece26f8fdcb7a547d019fbef247241773fe
Instruction Fuzzy Hash: C611E0B6C002498FDB14CF9AD444BDEFBF4EB89324F10846AD459A7210C379A545CFA5

Function 00B9D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732936357.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12245066e90656b41aef593d89d0176a84c886a3fa37f40cc5aa0aa18dc7b46
Instruction ID: 309c066c950f6483d2f1ad18dfac731195af8fc277c0b0177ed46887d5afc02d
Opcode Fuzzy Hash: f12245066e90656b41aef593d89d0176a84c886a3fa37f40cc5aa0aa18dc7b46
Instruction Fuzzy Hash: 33212871504204DFDF05DF15D9C0B26BFA5FB94314F20C5B9D9094B356C336E856C6A2

Function 00B9D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732936357.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc4ef43afa64a342f4fc44c48929abdb88438a66c61a08f579f53a9d6c0eace
Instruction ID: 3a0b1b1740f1db7b290cfe037f0de727220dba2bc28516b19d3cdb821aa21cd4
Opcode Fuzzy Hash: 9dc4ef43afa64a342f4fc44c48929abdb88438a66c61a08f579f53a9d6c0eace
Instruction Fuzzy Hash: 98212271500240DFDF05DF15DAC0B2ABFA5FBA8318F20C5B9E8094B266C336D856CBA2

Function 00BAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733449066.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88547a39e7cbed97be40cc21c8dec8fc7749c9d8ea069810a7ee35980f89937d
Instruction ID: c7b78ae4d88881361ac37c7e5901d1d0274fe7888660484e43619e7f529a8705
Opcode Fuzzy Hash: 88547a39e7cbed97be40cc21c8dec8fc7749c9d8ea069810a7ee35980f89937d
Instruction Fuzzy Hash: 83210471608200DFCB24DF24D9D4B26BFA5FB89314F20C5ADD84A4B696C33AD847CA61

Function 00BAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733449066.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2482a84ecafbce997f23df76c39a79d5daffbae07b3fb6c65ab780529c48bca
Instruction ID: ada2b5ce7d3a5c3bd48b3847a7fbdbbfe361d0de5117a4e14a66618d93604ddc
Opcode Fuzzy Hash: e2482a84ecafbce997f23df76c39a79d5daffbae07b3fb6c65ab780529c48bca
Instruction Fuzzy Hash: 18212671608300EFDB05DF14DAC4B26BBE5FB85314F20C6ADE80A4B696C33AD846CA61

Function 00BAD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733449066.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeaf66f532c9dd658d0bdd3f4a5b42dd1881a95478d48418a486e0807ad04fa
Instruction ID: ff28d2eb8ef45aa6df6d646875d646304d9c17d525bfa5dab9980833dce72614
Opcode Fuzzy Hash: 4aeaf66f532c9dd658d0bdd3f4a5b42dd1881a95478d48418a486e0807ad04fa
Instruction Fuzzy Hash: 1F2184755093808FDB16CF24D594715BFB1EB46314F28C5DAD8498F697C33AD80ACB62

Function 00B9D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732936357.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1ad52113e3980afeb9d4cb68ae616df9bd765b346716fed6967e203dfa8b722c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0211D376504280CFCF16CF14D5C4B16BFB1FBA4318F24C6AAD8494B656C336D85ACBA1

Function 00B9D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732936357.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 9346cc12e18f722f033c1293f477ee4509e093d5ae51c404e6022bd0c62b8fe3
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 62119D76504240DFDF16CF14D5C4B16BFA1FB94324F24C6A9D9090B756C33AE85ACBA1

Function 00BAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733449066.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bad000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 2d36751ad84753edca53321a5c872df0cdcf0c4c1d8d62677c3661f7b4407060
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 0F118B75508380DFDB16CF14D5C4B15BBA1FB85314F24C6AAD84A4B6A6C33AD84ACB61

Function 00B9D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732936357.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe28604aebfbc90ff01106077794522db5c6d37c124f8edc3bd512edf8de37e
Instruction ID: 41b7de4d593fc23a3f68f894b8f5c7ab17d231fe272a6e3a35ed5f832a9dc0d1
Opcode Fuzzy Hash: dfe28604aebfbc90ff01106077794522db5c6d37c124f8edc3bd512edf8de37e
Instruction Fuzzy Hash: BE01A7711083409AEB104B67DDC4767BFE8EF55324F18C9BAED094A296C67D9C40C6B1

Function 00B9D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732936357.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9c0ad240f9f37959fcd5b37a0e67751bed8f1c7756657095898f27fe21672f
Instruction ID: 13f151408af56e4dc424db9da87f5bd362c5271ed209de2b4a9601d157772e00
Opcode Fuzzy Hash: 0d9c0ad240f9f37959fcd5b37a0e67751bed8f1c7756657095898f27fe21672f
Instruction Fuzzy Hash: 1BF06275404344AEEB108A16DC84B62FFE8EF55725F18C55AED084A286C27D9C44CAB1

Non-executed Functions

Function 070B4F70 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494245382b3f56234911d397f972ee7c903e40db9131493f6e1f5d95c86acd76
Instruction ID: 0a822d16502f02f6734e2484f45920bd0df583b2aad79abc5bd0a89de4706483
Opcode Fuzzy Hash: 494245382b3f56234911d397f972ee7c903e40db9131493f6e1f5d95c86acd76
Instruction Fuzzy Hash: 29E1DCB4E142598FCB14DFA9C9809AEFBF2BF89304F248169E415AB355DB31AD41CF60

Function 070B57E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b010b8f04198a26e5863655de9cdcdcbe1e06ad627c299dfcc25921dcafddb
Instruction ID: 9377e46b718a237cab3df232a7a76c44f05bd6178daf38da17e5bd21622baf56
Opcode Fuzzy Hash: 87b010b8f04198a26e5863655de9cdcdcbe1e06ad627c299dfcc25921dcafddb
Instruction Fuzzy Hash: 15E1DCB4E141598FCB14DFA9C9809AEFBF2BF49304F248269D415AB356DB31AD41CF60

Function 070B7400 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883b4de3eb0b875dfa54ceed91c351e45a4b093483e5e0356e31e67fed757348
Instruction ID: 6dee2b827c391393ddadd743c9cb99d818f7b37f4ceb25a5ed756492baf5ddc1
Opcode Fuzzy Hash: 883b4de3eb0b875dfa54ceed91c351e45a4b093483e5e0356e31e67fed757348
Instruction Fuzzy Hash: 21E1D9B4E141198FCB14DFA9C5809AEFBF2BF89304F24926AD415AB356DB30AD41CF61

Function 070B4B38 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b79365732150982f84a77a35e9436c73470be3d9b501029f093a018a83821e
Instruction ID: 8622552d541c51e7b2f1120803b5161e1919d77393b395929f39d61816497651
Opcode Fuzzy Hash: 74b79365732150982f84a77a35e9436c73470be3d9b501029f093a018a83821e
Instruction Fuzzy Hash: 8DE1DCB4E141598FCB14DFA9C5809AEFBF2BF49304F248269E414AB356DB31AE41CF61

Function 070B53A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4efaf97815d9e1dde758f50843d5fcebce371d6726b697e7139fa4744f39e2
Instruction ID: cc5e9b027a9ed13f3ff2cdd335a2e5349a80b4c9e951a430a09716697e4b61f2
Opcode Fuzzy Hash: ae4efaf97815d9e1dde758f50843d5fcebce371d6726b697e7139fa4744f39e2
Instruction Fuzzy Hash: DDE1CAB4E142198FCB14DFA9D9809AEFBF2BF89305F248169E414AB355DB31AD41CF60

Function 00FAD51C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734892304.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef90d22d0aa306b7c6b8efe0b8889995a39a4eeffb6871b49ae7c87f7bc6d7c
Instruction ID: b75dbdc21e7c6ce2a71f1090de0c109542d5b2149352cb04a20ba281cc62c0ef
Opcode Fuzzy Hash: 4ef90d22d0aa306b7c6b8efe0b8889995a39a4eeffb6871b49ae7c87f7bc6d7c
Instruction Fuzzy Hash: 6AA15A76E00209CFCF15DFA4C84459EB7B2FF86310B1585BAE806AF265DB35E91ADB40

Function 070B4F60 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdaba36ce92354be351c9e32e953a608dc7af7d152fdaae15b21dd6d186f05f
Instruction ID: 51f088a07b8171e3576fef7ad2e8d55021340805ae7df04b64eb7c8c222312f2
Opcode Fuzzy Hash: afdaba36ce92354be351c9e32e953a608dc7af7d152fdaae15b21dd6d186f05f
Instruction Fuzzy Hash: EE510DB4E142598FCB14DFA9C9805EEFBF2AF89304F2481A9D418AB316D7315A41CFA1

Function 070B4B28 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e23ca66bcd6eb5b4a90e7437f8017830b33315b3c8fc08ed59e3d167579b535
Instruction ID: ce3e2996add9f6e1edd7aefd0adedf9765edc9afb65a88ec1057d0c48186a28e
Opcode Fuzzy Hash: 0e23ca66bcd6eb5b4a90e7437f8017830b33315b3c8fc08ed59e3d167579b535
Instruction Fuzzy Hash: 32512DB0E142598FCB14DFA9C5805AEFBF2BF89300F24C269E418AB356D7305A41CFA1

Function 070B57CF Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304d254bf2303002e65350a9439047af8eae4e731b189b6b12f1db5dbc4f089e
Instruction ID: 3a6cc7834e423c715861e8402d23a3477064ae0fa97608eca7ab4f88472fe51b
Opcode Fuzzy Hash: 304d254bf2303002e65350a9439047af8eae4e731b189b6b12f1db5dbc4f089e
Instruction Fuzzy Hash: 7351FCB4E142598FCB14DFAAC9805EEBBF2BF89314F14C1A9D418AB356D7309A41CF61

Function 070BAE30 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743384584.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab20b140be882c235d7aa9e4870221665119443718106abf5609a06cc498a85
Instruction ID: d65423d2968989b9c6d20e6d570da9fa0fbbfa1acb31b409af6b49d9b19da676
Opcode Fuzzy Hash: 3ab20b140be882c235d7aa9e4870221665119443718106abf5609a06cc498a85
Instruction Fuzzy Hash: 0031DCF1E452298BEB29CF6AC8047DDFAF6AF89300F04C1AAC41CA6255DB340A85DF40

Analysis Process: z2PaymentAdviceD00772795264733.exePID: 7736, Parent PID: 7312COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	20%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 01352DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0138E73E,0000005A,013ED040,00000020,00000000,013ED040,00000080,01374A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0135AE00), ref: 01352DFA

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cae39519ce16ff824eaed66c9c3241a38d1348b1540e4bc7781df07aee312ce0
Instruction ID: 63849117fe38e71df198e78c58ccb50af25c9cdf2217d4c067111c7c44753fd5
Opcode Fuzzy Hash: cae39519ce16ff824eaed66c9c3241a38d1348b1540e4bc7781df07aee312ce0
Instruction Fuzzy Hash: 6490027520150413E111715C850470B000D97D5245F95C452A4424558DD6568A56A221

Function 01352C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0136FD4F,000000FF,00000024,01406634,00000004,00000000,?,-00000018,7D810F61,?,?,01328B12,?,?,?,?), ref: 01352C24

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f5dbbf1456eaaea87214d8597f927526f8c8b5fb8b943047f9d49b371250884
Instruction ID: 76537d0d5da56b3abd499dd32600ed6b893ae6f7f129e7b2cd6df59f8529869b
Opcode Fuzzy Hash: 8f5dbbf1456eaaea87214d8597f927526f8c8b5fb8b943047f9d49b371250884
Instruction Fuzzy Hash: E2B09B719015C5C5EF51E7644608B1B790477D1705F15C061D6030641F4738C1D5E275

Function 0042E8DD Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2195471812.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42e000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488100d8cbb77d35520776c25e53210ee0e44671820353f2150349199554be4b
Instruction ID: cf80e81f0ddde677eb7f8c52eba2ad7e2b5d66013716722d6d907c6d7acbb255
Opcode Fuzzy Hash: 488100d8cbb77d35520776c25e53210ee0e44671820353f2150349199554be4b
Instruction Fuzzy Hash: 67F04472B0123463D220319B7C06F6B66598BC0B64F99057BFE1CAB342F5A99D1242ED

Function 0042E37E Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2195471812.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42e000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e7c3cc5b655a2c18881d5957f2cc082f2a1984b945fd56a77916c7ddf188af
Instruction ID: 620758e5bfeec7d454602bdcd39fbc84bfd4df5d12d7fa408b5504131a588007
Opcode Fuzzy Hash: 68e7c3cc5b655a2c18881d5957f2cc082f2a1984b945fd56a77916c7ddf188af
Instruction Fuzzy Hash: 0501B971D0022856FB68FBA59C92FDE7778AB04304F4005DAB60CA7181EFB4568C8B95

Function 0042E383 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2195471812.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42e000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb43ce9780cbbeb687307c4a0133b4985792a505e7551cfd1e4746e046c68c26
Instruction ID: fa02b82f83d2b57f30124be931f9fed508280326a3613d618c2c7aa231130e18
Opcode Fuzzy Hash: cb43ce9780cbbeb687307c4a0133b4985792a505e7551cfd1e4746e046c68c26
Instruction Fuzzy Hash: A2018871D4022C56FB68FB959C92FEEB778AB04304F5006DAB60CA3181FFB4568C8B95

Function 0042E89B Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2195471812.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42e000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a7869d32078324a04f3260f29ebff30baad3b6c3195159a13303c938b49850
Instruction ID: 2914dc4beb708d3812f23844ce428eb3568d8baa4cade632074ba0b68fea8034
Opcode Fuzzy Hash: 39a7869d32078324a04f3260f29ebff30baad3b6c3195159a13303c938b49850
Instruction Fuzzy Hash: EDE0E571B0122427C221665BAC05F677B68CFC2B24F49006AFD499B342D569AC0183E8

Function 0042E724 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2195471812.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42e000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b44a2347fc5edf7427ba9bff9d23009c540bb892d19264b95de638a4f2fe0d
Instruction ID: 87ae84252e92c4618c92d52a42c1ff96d4df01b10b37dad19770904ab2772d23
Opcode Fuzzy Hash: 61b44a2347fc5edf7427ba9bff9d23009c540bb892d19264b95de638a4f2fe0d
Instruction Fuzzy Hash: 9CF0E532640209AFD704DF51ED85AEB3368EF84350F088219F91C8B545D734D2058795

Function 0042E733 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2195471812.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42e000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ef528ffe0e170a3cef873f6df4c85ba0a2c463b2f6557ba9733242547fe666
Instruction ID: 7afdc5125c63738d28b1d0f49e6e34684628c59aeffbb44556952c0c0970db47
Opcode Fuzzy Hash: c6ef528ffe0e170a3cef873f6df4c85ba0a2c463b2f6557ba9733242547fe666
Instruction Fuzzy Hash: A6F01C76650309AFDB04CF99C881EEB73A9EF88750F04C159FD288B641E774EA10CBA1

Function 0042E8A3 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2195471812.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42e000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f5e612f479f8a387477922d3b98dc3a405dc01a4c2e86a51c4c3a341f83d84
Instruction ID: a7fd2963584621a78af88b5b398ec69ff6abaabe3df6566a0651cab44ab423e8
Opcode Fuzzy Hash: 28f5e612f479f8a387477922d3b98dc3a405dc01a4c2e86a51c4c3a341f83d84
Instruction Fuzzy Hash: F4E04836B0122467D220659B6C05F67775C8BC1B60F45007AFE0897341D5A5A90142E9

Function 0042E7C3 Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2195471812.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_42e000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d323d543d917f45d49b36ff89283240008c49757f2bf0b73481cbbd4fdbcd21
Instruction ID: 5f8e7d88003c7b4f5144a9856a5fbfd15f060c851097c637d44b119f74364b9b
Opcode Fuzzy Hash: 4d323d543d917f45d49b36ff89283240008c49757f2bf0b73481cbbd4fdbcd21
Instruction Fuzzy Hash: C2C012716002086BD704DA98DC46F65339C9748614F444055B90C8B241D571B9104654

Non-executed Functions

Function 01394755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01394809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01394888
minkernel\ntdll\ldrredirect.c, xrefs: 01394899
LdrpCheckRedirection, xrefs: 0139488F

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 322174bc5692e0988aad01f8b53438eb430e7ee284864b6e987f0685bac6bc3a
Instruction ID: 8f4411ed25eb0e6708a8960c1c77fdc79040849fc76c9c98b27e9f2db075e66a
Opcode Fuzzy Hash: 322174bc5692e0988aad01f8b53438eb430e7ee284864b6e987f0685bac6bc3a
Instruction Fuzzy Hash: 1F41E232A182558FCF22CF5DDA40A2A7FE8EF49A58F06056DED59DB311E731D802CB81

Function 0135096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01352DF0: LdrInitializeThunk.NTDLL(0138E73E,0000005A,013ED040,00000020,00000000,013ED040,00000080,01374A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0135AE00), ref: 01352DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01350BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01350BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01350D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01350D74

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 67e32bb2580c830fd485c15fc8124b8dc63db13e0cf084348be0757114346ecf
Instruction ID: 87aeabeb6848a58cefa16b3b09dd75f54484f9b0571700df380b5d39fa9ab6e4
Opcode Fuzzy Hash: 67e32bb2580c830fd485c15fc8124b8dc63db13e0cf084348be0757114346ecf
Instruction Fuzzy Hash: FF426B71900715DFDB65CF28C880BAAB7F4FF44718F1445A9E989EB241E771AA84CF60

Function 0133EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d92c688944ed5c552969daa42de0382c9961ef933dd6a8ab20d04eac741e00
Instruction ID: 7cc0483bbed485d7469a7c94a0935da0f191a4c250acf852405c81bed0ec5e0a
Opcode Fuzzy Hash: 39d92c688944ed5c552969daa42de0382c9961ef933dd6a8ab20d04eac741e00
Instruction Fuzzy Hash: 74E12074D00608CFDB26CFA9D980AADFBF9BF88308F20452AE546A7221D770A845CF15

Function 0131EA80 Relevance: 6.1, Strings: 4, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 0131EB62
, xrefs: 0131F299
{, xrefs: 01374643
T, xrefs: 0131EB4E

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: $R$T${
API String ID: 0-4276472446
Opcode ID: 101b4490278616e7dd8af2c8227b17cae3314ee40210543861453eec17e6e760
Instruction ID: e2998a88d786d5b4ef330b1b1c1e3790a3dbf46ee5e94e2e1de9bb6f89492b7e
Opcode Fuzzy Hash: 101b4490278616e7dd8af2c8227b17cae3314ee40210543861453eec17e6e760
Instruction Fuzzy Hash: B8A26D74A05629CFDB79CF18CC987A9BBB9AF45308F1442E9D90DA7254DB35AE84CF00

Function 01344C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 01344C96
0, xrefs: 01344CC3

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 2c8b4d2f5b0c1296a26d9d47f28eb3fcdf34fc47a7643f697a89a632bbf925cc
Instruction ID: 6e954d11dd3d4b5f16c22050997d02d2fb5a9a4cd2bb476d427a422bdb0587d7
Opcode Fuzzy Hash: 2c8b4d2f5b0c1296a26d9d47f28eb3fcdf34fc47a7643f697a89a632bbf925cc
Instruction Fuzzy Hash: 165189B1A00218CBDF26DF99D984769FBF4FF4575CF14802AD0899B256EB70E985CB80

Function 01394F40 Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

.DLL, xrefs: 013950C7, 0139519C
.Local, xrefs: 01395170
\, xrefs: 01394F66
/, xrefs: 01394F6D

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\
API String ID: 0-80926707
Opcode ID: 323d4374e9045bf7ec4974c663e705ae674b6f5fa992657707daf9d5d9858476
Instruction ID: df1b96245d2ae2e787ebc0bfc96ac531e47eb9182b8e1dc3a3f3065ef439b7a7
Opcode Fuzzy Hash: 323d4374e9045bf7ec4974c663e705ae674b6f5fa992657707daf9d5d9858476
Instruction Fuzzy Hash: 4F91B172D0061A8BCF22CFADC881AAEB7B4FF48718F59416AE915E7350E735D941CB90

Function 0131ADE0 Relevance: 4.3, Strings: 3, Instructions: 573COMMON

Download Yara Rule

Strings

J, xrefs: 0131AEAE
H, xrefs: 0131AEC2
#, xrefs: 0137363D

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: #$H$J
API String ID: 0-1987776496
Opcode ID: a85a8f9e010bb68efde49a9ea49cd8c4ae85bb96674358a92f6925baff189e66
Instruction ID: 90b9871fd44f9028d44bb0b39a34fc49c2a315b299051a5ef6250dda4edad5b8
Opcode Fuzzy Hash: a85a8f9e010bb68efde49a9ea49cd8c4ae85bb96674358a92f6925baff189e66
Instruction Fuzzy Hash: 7D32A17190026DCBDB3ACB18CC94BEEBBB9BF44348F1041E9E849A7259D7359E858F40

Function 0132AD00 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

DLL search path passed in externally: %ws, xrefs: 013780A6
minkernel\ntdll\ldrutil.c, xrefs: 013780B7
LdrpInitializeDllPath, xrefs: 013780AD

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: DLL search path passed in externally: %ws$LdrpInitializeDllPath$minkernel\ntdll\ldrutil.c
API String ID: 0-109579469
Opcode ID: 3ccfc40e61e5fd5eb4f4ba0ccbf0efa861945cfaefc9e1d1e4ce0573e748b121
Instruction ID: 5a1b988c8f37abe74c7f08d2b87c556577ae1a805c5bb3d14687d369e6114e17
Opcode Fuzzy Hash: 3ccfc40e61e5fd5eb4f4ba0ccbf0efa861945cfaefc9e1d1e4ce0573e748b121
Instruction Fuzzy Hash: 8C1202716083669FD335EF28C840BAAB7E4BF84B0CF04495DF9858B691E738D944CB92

Function 01336962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0137CA51
@, xrefs: 01336C24

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: bd7ecab595fe7928a5c0e1bd25a59a800470860751d89908271ce6cb5cc8ee62
Instruction ID: 98dbb783fc68dad1e85abfe50cf5cbf751fef2dde5d74849ded02590e3fafbf1
Opcode Fuzzy Hash: bd7ecab595fe7928a5c0e1bd25a59a800470860751d89908271ce6cb5cc8ee62
Instruction Fuzzy Hash: 73C28EB16083459FEB25CF28C881BABBBE5AFC8718F04892DF989C7241D734D945CB56

Function 013104E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0131055E

Strings

kLsE, xrefs: 01310540

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 61cfe675931b384b3eb6f676ecc4d75a6664e9a52420babd7d12076471ea42cb
Instruction ID: d035e45e1db07a1c71ac0d81eca8146b8bd60f20ee0e994b4f1f025c27306ec9
Opcode Fuzzy Hash: 61cfe675931b384b3eb6f676ecc4d75a6664e9a52420babd7d12076471ea42cb
Instruction Fuzzy Hash: 9C51AE715047428BD72DEF69C5406A7BBE4EF84318F104C3EFAAA87245E7709985CB91

Function 01392349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 01392B74
@, xrefs: 01392942

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 02676eca5137597a6d526f748fb6cc7976cd3d44b009922e9f9581f8cffef5a8
Instruction ID: 7c5c607f22cc4d2abfdf97da23430b2cde480c5428c31ff89dc22370f83a0afa
Opcode Fuzzy Hash: 02676eca5137597a6d526f748fb6cc7976cd3d44b009922e9f9581f8cffef5a8
Instruction Fuzzy Hash: F7928F71604742AFEB21DF29C880F6BBBE8BB84758F04492DFA95D7251D770E844CB92

Function 01344D1D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01344D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01383640, 0138366C

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3711822496
Opcode ID: f5b0261cf2ab60cff7068b4ce750c41780def38b0ce2430c3a149c2b232331ed
Instruction ID: ca2c3ae238b2615a0356962ea1a9c00d434f93ec1ba6ac2069a677bcb2288e50
Opcode Fuzzy Hash: f5b0261cf2ab60cff7068b4ce750c41780def38b0ce2430c3a149c2b232331ed
Instruction Fuzzy Hash: E0312932900611AFEF36EB0DC848B25B6E4BB03A5CF06403AD68457663D7B0FC808795

Function 01354F03 Relevance: 3.0, APIs: 2, Instructions: 28timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01354F1F
RtlDebugPrintTimes.NTDLL ref: 01354F55

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9dac4c94479ab3bfe755a7997cd6612fcdd4069816fb530bd650d986fbe1ca44
Instruction ID: b4c8d589aef955cc1f1e06942d5f8ee2cea3866477b2ce58c42cd84449a399ec
Opcode Fuzzy Hash: 9dac4c94479ab3bfe755a7997cd6612fcdd4069816fb530bd650d986fbe1ca44
Instruction Fuzzy Hash: CBF09030148682CFE369DF19D648F1573E4FB48B04F044439F80A8BAA0EB746D44CF51

Function 0131A3C0 Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0131A3F7
8, xrefs: 0131A3E7

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: 6$8
API String ID: 0-105715976
Opcode ID: 44c85f3b52100dc164e964b9c34ab57b4755f8439605e431276487e649d3206f
Instruction ID: 19befc62ee0077ce75cef4611314d7befcc2999239908b6c5d2bcbd24fa45c12
Opcode Fuzzy Hash: 44c85f3b52100dc164e964b9c34ab57b4755f8439605e431276487e649d3206f
Instruction Fuzzy Hash: 8EC1AD70109386CFD729CF58C040B6ABBE8BF84709F04486AF9959B759E738CA49CB52

Function 01342CF0 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

.Local\, xrefs: 01342D91
@, xrefs: 01342E4D

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 25aa772cabbac1fc0ba0fe1ea14f41062817f0126b1fd83aa6d711a83096555c
Instruction ID: b72e84880ba44936e245acc3d801500d059ecff6261585b048f62df7b35e7cfa
Opcode Fuzzy Hash: 25aa772cabbac1fc0ba0fe1ea14f41062817f0126b1fd83aa6d711a83096555c
Instruction Fuzzy Hash: AE81DE711043429FDB21DF19C880A6BBBE8EF86718F44896DFC95DB241D370E944CBA2

Function 01316A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b953e6324352b225647e66bcab6120d6e394333448ab597e1ea14ff2ebfde2
Instruction ID: b81caab5b960d2ce6eade9dc5a2bf981961c08376ae4782c9161c4d56c9062ac
Opcode Fuzzy Hash: 35b953e6324352b225647e66bcab6120d6e394333448ab597e1ea14ff2ebfde2
Instruction Fuzzy Hash: 6432C0B1A00205CFDB29CFA9C880BAAB7F5FF48308F148569E956AB795D774E841CB50

Function 01320770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c561994feac153ea6049c755bffe12962372dbbe58106e8f3a23751131a299a2
Instruction ID: ca4e8afc350de0b7c909275dc57fd2a777822b9c7db41dd872ade845f692b6e1
Opcode Fuzzy Hash: c561994feac153ea6049c755bffe12962372dbbe58106e8f3a23751131a299a2
Instruction Fuzzy Hash: 2DF1BD7070060ADFEB29DF68C884B6ABBF5FF44708F148168E4169B791D734E985CB90

Function 0133E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ea92f2cedda9450e22b213e458c9d3c283815493690bcbdd84eb7ae00969d4
Instruction ID: f6d3853a6a710cf6ad9507885ff4608a6944b8c923a63e3b03005a30975c89b2
Opcode Fuzzy Hash: e4ea92f2cedda9450e22b213e458c9d3c283815493690bcbdd84eb7ae00969d4
Instruction Fuzzy Hash: 99A11771E006199FEF32DB5CC844BAEBBA8BF4472CF050125EA20AB291D7789D41CBD5

Function 0134CDB1 Relevance: 1.7, APIs: 1, Instructions: 197timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0134CE7D

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6850fd6887e673d3d70f62739ecb20a707d566c88dbf2de1cb0d72472366b478
Instruction ID: a1b2d4338400871cc58eef7635262e4d29e1bd8fd40bd6b4c71d1a987fbec3db
Opcode Fuzzy Hash: 6850fd6887e673d3d70f62739ecb20a707d566c88dbf2de1cb0d72472366b478
Instruction Fuzzy Hash: B461D171A0120ADFDB19EF6CC880AAEB7F5FF48318F109169E615EB291D734A941CF50

Function 013203E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01374D8A

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 186701894867884d1889c5a941d8a8653d70b63a898604043cd3f6e55c2e8f5d
Instruction ID: d9cd74355f2f10bbad48e3b62df8ae3e74495a410f8b6b6e5468a37ee726bb17
Opcode Fuzzy Hash: 186701894867884d1889c5a941d8a8653d70b63a898604043cd3f6e55c2e8f5d
Instruction Fuzzy Hash: 0E713971A0015A9FDB15EFA8C994FAEB7F8FF08708F144065E905E7251EA38ED45CB60

Function 013429F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 0138259B

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4cc9c82bb0c3cb9b3158e1d60c6f97e912f62325509971ab9fef07d6eba674b1
Instruction ID: adfc08f33686f44e7abd92b6aa34bf1402ff5a5ea2ea31e4e1277813f908bfcf
Opcode Fuzzy Hash: 4cc9c82bb0c3cb9b3158e1d60c6f97e912f62325509971ab9fef07d6eba674b1
Instruction Fuzzy Hash: 730242F1D002299BDF31DB58CD80B9AB7B8AF54718F4041EAE649B7241D770AE84CF69

Function 01330C44 Relevance: 1.7, APIs: 1, Instructions: 152timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01330CDC

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e075c68c78d5bf8f71ac7567588f7c7b5d3bf3172f1298fdd69b6b9601af15f8
Instruction ID: 4d9481e7204d80c2c5171f841b266394dd06c7fd41cf9c15328f5c81ed1abbc6
Opcode Fuzzy Hash: e075c68c78d5bf8f71ac7567588f7c7b5d3bf3172f1298fdd69b6b9601af15f8
Instruction Fuzzy Hash: 3151B574A00205DFDB29DF6DC941ABEB7F4EF84608F14446DE902DB651E635AE42CB50

Function 0134C720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0134C7BF

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 89cdfbe3d529139858c39763732e95ffa51166d1a976c610c226fdf7e3fce752
Instruction ID: 006452d94a7a1b9a4a05f1d5c2b4f2cfd473dfaf671285ddf15ef740e4f9eb49
Opcode Fuzzy Hash: 89cdfbe3d529139858c39763732e95ffa51166d1a976c610c226fdf7e3fce752
Instruction Fuzzy Hash: 9F412171555301AFD722EB69DD40B5B7BE8FF48A58F00492AF949D32A1E770E800CB91

Function 013064BA Relevance: 1.6, APIs: 1, Instructions: 123timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0130656C

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 73803ce0292674d4761bf6890633d4b9681959c7732eaa5e5fcfea6f55906f89
Instruction ID: 4843a7bd66edd81fcf2d8a38a0b605bb2d0d5e3c4b00fa3d05419831e5222166
Opcode Fuzzy Hash: 73803ce0292674d4761bf6890633d4b9681959c7732eaa5e5fcfea6f55906f89
Instruction Fuzzy Hash: 9941E570254305DFE722EF19D951F6ABBECFB84A4CF00842DE5466B1A9D630E904CB62

Function 0131262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01312710

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 972cb21fb816efc042798fd79170ecd96f524c5364212792183a2bbe10bf486e
Instruction ID: 337a02f2594b77496d2a421ed987980ec3c0e5acb74171a0b5f5c27f394c3dc2
Opcode Fuzzy Hash: 972cb21fb816efc042798fd79170ecd96f524c5364212792183a2bbe10bf486e
Instruction Fuzzy Hash: 4E41E3B1501705CFC72AEF29D900757B7F5FF54328F20856AC41A9B6AADB709941CB41

Function 013907C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0139083C

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1db345ee96d2a3986b378582cf44b599874791296e55fec649059ccc77ef6aee
Instruction ID: 5bb0349a216b1c1c1175c7efe553774923516acde89885821fbbc0d3129591a5
Opcode Fuzzy Hash: 1db345ee96d2a3986b378582cf44b599874791296e55fec649059ccc77ef6aee
Instruction Fuzzy Hash: 8D419F716083059FD760DF29C844F9BBBE8FF88658F004A2EF998C7251D7709904CB92

Function 0133245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1077e4bc2544614262946a4576dbfd8b821e91ddea334b6af3753e7041167918
Instruction ID: e9f504829bf960384dd40f58b2dbfd0812d5a382fc2c14aac59940b4794a5da1
Opcode Fuzzy Hash: 1077e4bc2544614262946a4576dbfd8b821e91ddea334b6af3753e7041167918
Instruction Fuzzy Hash: DB316D72600205EFDB32AF5ED981E6EBBF8FB85B08F1A006DF90167265C7745951CB40

Function 01314859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 013148F7

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 899309a17a2feb5590cde064eb5b29c178238eff55eac5ca1075752fdcc0f670
Instruction ID: c489f744c703c5ba643f3a82dec5896f896fc5653c2446d6f74d4be3bd244873
Opcode Fuzzy Hash: 899309a17a2feb5590cde064eb5b29c178238eff55eac5ca1075752fdcc0f670
Instruction Fuzzy Hash: 0A4109302003028FD729DF2CD884B2ABBEAFF85768F14442DE6458B2A5DB70D811CB51

Function 01308A00 Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01308A8B

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 051d38b58259a9549f250569c15dab553a6056c23d8e236f481f14e9a94e0235
Instruction ID: 369a332717156efd3f0f77b919bea7f8302cd384094b7167a3ea6673cf9525d0
Opcode Fuzzy Hash: 051d38b58259a9549f250569c15dab553a6056c23d8e236f481f14e9a94e0235
Instruction Fuzzy Hash: 9C3106B1A0074AEFDB16DF68D540B6DB7F1FF08318F044159D80257A85C739E890CBA1

Function 01342F98 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

@, xrefs: 01343180

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8cee8163088a5d2947b557bfc9f18f6ffd92318b3ab4f50f60ba76d6e3cb9a85
Instruction ID: 65881261c7d339457d1ba2901018e4894306d2536fce39c275ec4050a71464e5
Opcode Fuzzy Hash: 8cee8163088a5d2947b557bfc9f18f6ffd92318b3ab4f50f60ba76d6e3cb9a85
Instruction Fuzzy Hash: FEC191759002399BEB21AF19CC85BBAB7F8FF54718F1040E9E949AB250E7349E80CF51

Function 0139892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b55a35042602f7656e09e998e9690e9591abe86965412b9ef0ab25c38500e60
Instruction ID: 8dd75909fb0f6a2ac6ef0fea51f9b8e70fcfd00f37d56668fc4c8b0ecec77025
Opcode Fuzzy Hash: 2b55a35042602f7656e09e998e9690e9591abe86965412b9ef0ab25c38500e60
Instruction Fuzzy Hash: C401F732300209AFEF266B5BD888A567B65EFC765CB04046DF6411A561CB716C41CF92

Function 0139A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0139A51A

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d1877a643e2c9e46b9fde580aec10314262a1ae5c16efb84c92bb04321660b5f
Instruction ID: 1a89ea233e7997d495c270eb73de665418ed0082b6a82364b7f1243a5a7bc81f
Opcode Fuzzy Hash: d1877a643e2c9e46b9fde580aec10314262a1ae5c16efb84c92bb04321660b5f
Instruction Fuzzy Hash: 13014536210259EBCF129E84D940EDA7F66FB4C768F068215FE196A220C736D971EF81

Function 01398D20 Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01398D6A

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7b860936d06503391a34dda3ca3ac551da1ab936a119c2890df916ea1bb38a41
Instruction ID: b84d948a153c115cbca6534337fe704a603e7201d31e9d8b11b1a871ea5b377d
Opcode Fuzzy Hash: 7b860936d06503391a34dda3ca3ac551da1ab936a119c2890df916ea1bb38a41
Instruction Fuzzy Hash: 9BF090325002486BEB276B1DE848B5ABB59EFD5718F09086EF9492B175C7706C80CE80

Function 01396420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 013965C1

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a65a9dd2372190ea05f552eab7cffc4d522e9490b02102418f241a379f7130d2
Instruction ID: e723ca6531db478ffac313aa6a64091fc2e6293b69e924d29bc03237223d559b
Opcode Fuzzy Hash: a65a9dd2372190ea05f552eab7cffc4d522e9490b02102418f241a379f7130d2
Instruction Fuzzy Hash: B69182B2A01219AFEF21DF99CC85FAE7BB8EF48B54F104055F600AB191D774AD00CBA4

Function 01348402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01348591

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 89ef7dfb2028bcd73349f945df06ae84e04f962f03f33d245bd504efc793923d
Instruction ID: 6f7a0a069ed9ce8b8e827f94ecca53ba82544d24b78a730c8bb4071f523eb249
Opcode Fuzzy Hash: 89ef7dfb2028bcd73349f945df06ae84e04f962f03f33d245bd504efc793923d
Instruction Fuzzy Hash: 81916E71508345EFDB21EF69C840EABBAE8EF84748F40496EFA8496151E734E944CB92

Function 0134273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 013428D8

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: .Local
API String ID: 0-5346580
Opcode ID: 0864b9ccffd84b55f24b4f98f0e3f346ce4deb4596c55782aac0b0e3beca70c3
Instruction ID: b219691010084173f5b04a321bac31c416381b716a0e676d857d2935193fcfc1
Opcode Fuzzy Hash: 0864b9ccffd84b55f24b4f98f0e3f346ce4deb4596c55782aac0b0e3beca70c3
Instruction Fuzzy Hash: D2A1CF35900229DFDB24DF69DC84BAAB7B4BF58318F1541E9E908B7251D730AE80CF90

Function 0130A197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0136C1E4

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: \??\
API String ID: 0-3047946824
Opcode ID: 1b89e831f6566180a040f683abd36b462b2d2644c2c1d717b69979fadc1cce07
Instruction ID: 162cf9a3b7785b88070df920d52cae8d4bfa5d73a54748d401473db7c49e6118
Opcode Fuzzy Hash: 1b89e831f6566180a040f683abd36b462b2d2644c2c1d717b69979fadc1cce07
Instruction Fuzzy Hash: B1A17D719112299BDF32DF68CC98BEAB7B8EF48718F1041E9E909A7250D7359E84CF50

Function 01348620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 013852E3

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 22be458196e123855fd0b5da0f529eb0ac0caa789653e563fdeebc304a463390
Instruction ID: 879e9751b9caba9920c9ec872f7b41cfa6d945847fc3575a38c4b07a3d7c7eee
Opcode Fuzzy Hash: 22be458196e123855fd0b5da0f529eb0ac0caa789653e563fdeebc304a463390
Instruction Fuzzy Hash: F9818C71A00348EFDB21DF9AC845BAEFBF9EB08718F104169F605B7650D3B5A940CB60

Function 01348BF0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(, xrefs: 01348D3B

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 7ea0b1461eaa9bc592017955a5a9e0575b05d038b7f537ed516bd7bef952b895
Instruction ID: 66f4e5cada4f5292816ef5f5ec82ae4b6c6342647c7259f88c99b1374d7a0e69
Opcode Fuzzy Hash: 7ea0b1461eaa9bc592017955a5a9e0575b05d038b7f537ed516bd7bef952b895
Instruction Fuzzy Hash: 8B919770D01749CFDB22DFA8C880ADEBBF5BF59318F2041AAE805AB391D771A901CB50

Function 0130CCC8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 0130CD63

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: db937658974c155e8b137d421a89bb277d66392e0c86cd17baa8d961c0edc7ff
Instruction ID: ce888d09da687e3c61505d21ea7a0eba46f3844a89e666f18cd76b810c4ae0fe
Opcode Fuzzy Hash: db937658974c155e8b137d421a89bb277d66392e0c86cd17baa8d961c0edc7ff
Instruction Fuzzy Hash: 1351E376504346DBC712DF68C854A6BB7ECAF88718F41496EFA85F7340E734DA0487A2

Function 0130A580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(, xrefs: 0130A668

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 1ae5dc427d393264765db422be7f3098b12044ecf064041f823cc5f202916281
Instruction ID: 86c3962b4dea143b4116bd0b27ff4b499eed6c73c8b543e2671183b00516aaff
Opcode Fuzzy Hash: 1ae5dc427d393264765db422be7f3098b12044ecf064041f823cc5f202916281
Instruction Fuzzy Hash: 1E5119B191135ADFCB11CF99D880ACDBFF9FF18718F10822AE509AB681D7749941CB94

Function 01312140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(, xrefs: 01312253

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 8a5ca2e9911731061633a6dc683ec9b325b6dc7604d0776ba456e6c8c5fda5ed
Instruction ID: 9e1bcb4f95cec6d6880a992c12d47fb10d45d7dc9cff3dfabe01f1b75ee3f0e1
Opcode Fuzzy Hash: 8a5ca2e9911731061633a6dc683ec9b325b6dc7604d0776ba456e6c8c5fda5ed
Instruction Fuzzy Hash: 56515CB1D0160ADFCB15CF99C4806CDFBB4BF08728F60462EE818A7684D335A951CBA0

Function 0131EF8D Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

{, xrefs: 013745E6

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: {
API String ID: 0-366298937
Opcode ID: 63ed4ac617a5cfc5951d1a882d6cd9099f94295be55117597d339c872a48c706
Instruction ID: 9a1b98ccd244e7baeb2b510df7a7d045f342d1e556ed9f904e1893e82d38bd25
Opcode Fuzzy Hash: 63ed4ac617a5cfc5951d1a882d6cd9099f94295be55117597d339c872a48c706
Instruction Fuzzy Hash: E951B131E0562A8BDB38CE18CD947ACBBB5AF81218F2442EDC908A7354DB35AD85CF04

Function 0134C6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01388181, 013881F5

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrredirect.c
API String ID: 0-3694840737
Opcode ID: f10509f8a77b5e4d2f98e81a4e78acc2eab69429d3945fa987dfc1f26c86f303
Instruction ID: e1af91e3556be9b912718c2803306a2da5d09423de0e51068dfbd2677537a741
Opcode Fuzzy Hash: f10509f8a77b5e4d2f98e81a4e78acc2eab69429d3945fa987dfc1f26c86f303
Instruction Fuzzy Hash: 463112716543069FD324EF2DD946E1ABBD4EFD4B28F04456CF941AB291EA20EC04C7A2

Function 01394DD7 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 01394E06

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrutil.c
API String ID: 0-4055692389
Opcode ID: 576cd8a4bc0b5f39c062fbdd52c2e53c8ccf4aaebb4997282d6488c5bea2005d
Instruction ID: 8e79acacc9851171bb4a0775f2ac75c67b0c288c14fc0a7680b27036171baf96
Opcode Fuzzy Hash: 576cd8a4bc0b5f39c062fbdd52c2e53c8ccf4aaebb4997282d6488c5bea2005d
Instruction Fuzzy Hash: 09218B32998106BFEF28DA6ECE45D26BB9CFB41A6CF140119F31596690C560DD12C364

Function 013229A0 Relevance: 1.0, Instructions: 966COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ae3fb936f97e804360b6c3af97acaaf9409d0bcab8065febaac44228397d8e
Instruction ID: a7a218d3a0713a982514af9b23ebeb60fb8c349b4b87f0ff598815fe0e296e40
Opcode Fuzzy Hash: c8ae3fb936f97e804360b6c3af97acaaf9409d0bcab8065febaac44228397d8e
Instruction Fuzzy Hash: F392CD70A042699FDB25DF6CC840BAEBBF1FF08318F188059E999AB751D738A945CF50

Function 0131C7C0 Relevance: 1.0, Instructions: 960COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e84e5e9118f372ca37d8504f6f6c1d2908205522378bf6b0d5d71135fb1411
Instruction ID: 2792393808edf0c9e6218f84e6fa993d93e2eabc7134c6c2df2095caec2ea9bb
Opcode Fuzzy Hash: 63e84e5e9118f372ca37d8504f6f6c1d2908205522378bf6b0d5d71135fb1411
Instruction Fuzzy Hash: ED827A75E402188BEB29CFADC884BEDBBB5BF49318F148169D919AB358DB309D41CF50

Function 01322840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1215b8235580eafd41cc5b54d239d4566a2f97adacc4a502a12e0bca891737c6
Instruction ID: 1321b64899e7aa3b1aa690f06dd2881b4dd027a7fa208c778a971df2b911de42
Opcode Fuzzy Hash: 1215b8235580eafd41cc5b54d239d4566a2f97adacc4a502a12e0bca891737c6
Instruction Fuzzy Hash: 87320FB0A00B598FEB35CF69C8657BEBBF6BF84708F14411DD4869B684D739A802CB50

Function 01338DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aadd9cba08c222c2d5bfa7639ce77be120b4e778dd6855baace34c57d74360
Instruction ID: 5fb8d544f073e43cb01e68da35554f63df7120fb6d213b51e241fc5bf8a323ec
Opcode Fuzzy Hash: 26aadd9cba08c222c2d5bfa7639ce77be120b4e778dd6855baace34c57d74360
Instruction Fuzzy Hash: 6E227270E0011ADBDF25CF99C480ABEFBF6BF84718B15819AE945AB241E738DD41CB64

Function 01334A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f00dbd426295e962674e80699d7e836b525dd12313ae669c839d6c857bf5a0
Instruction ID: 07ce32037e1e0ad988dcf512b7afbc34396fc1e21753d52da5af5d23584d0630
Opcode Fuzzy Hash: e5f00dbd426295e962674e80699d7e836b525dd12313ae669c839d6c857bf5a0
Instruction Fuzzy Hash: 0FF18E70E0021A9BDF25CF99C580BAEFBF5AF88718F088129E905AB345E774D841CB64

Function 0131A9D0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b728644a25dc31ff0f937dc9bb6dd24dfbcfd8118f947196164becf2db28d16
Instruction ID: 0478b39980c25ee2382f26c196cb5851d0ca3381ef5651a886c03b89e495ad2d
Opcode Fuzzy Hash: 0b728644a25dc31ff0f937dc9bb6dd24dfbcfd8118f947196164becf2db28d16
Instruction Fuzzy Hash: 8CE19171E012999FEF26CF9DD980BAEBBB9FF08319F144426E901E7255D7389940CB50

Function 01308397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4616de8d1f00dd891aa4bb893e0c24f5717881f4ee0aefae6dd22b9966f40118
Instruction ID: 4f3e9b1946c7b97859e9987ccfe01761a07f76d065212baee024a9bcbfc21346
Opcode Fuzzy Hash: 4616de8d1f00dd891aa4bb893e0c24f5717881f4ee0aefae6dd22b9966f40118
Instruction Fuzzy Hash: DED1F671B0060ACBCB15DF28C8A0ABAB7E9BF5471CF05856DEA15DB2C8EB30D951CB50

Function 013165D0 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d010bb57088c5dcfe54292d1161488a48bdc7c4f33fe1bcf29edcc7dfe7909
Instruction ID: 25afbf034c5e0423995e84288d8f1ba7dafdcae8d8de0be1ba92fc0231b8253c
Opcode Fuzzy Hash: 27d010bb57088c5dcfe54292d1161488a48bdc7c4f33fe1bcf29edcc7dfe7909
Instruction Fuzzy Hash: 8EE1CFB1608342CFC719CF6CC490A6ABBE1FF88318F05896DE9958B355E770E905CB92

Function 01398243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction ID: 460e4a351a88bd64b03f416674cafa6ba3b0ef118ee6abe769cf2c60196953d2
Opcode Fuzzy Hash: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction Fuzzy Hash: 67B14375A0060D9FDF24DF99C940AABBBB9FFC6308F1444ADAA42D7791DA34E905CB10

Function 01320535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction ID: adaa75d3bf2fe0dbc420087abe0900c126c9046099416cf75e40ac3a562211aa
Opcode Fuzzy Hash: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction Fuzzy Hash: 7AB1483160465ADFDB2AEBACC840BBEBBFAAF44218F240158E55297681D734ED45CB90

Function 01330DE1 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1323c964477fc94b5f04be71bbf3a296b810a08dfd62f9f098ca02c6b831ad62
Instruction ID: d944b0c511b81ec643832d5731106cd6fd22366510320a782aa96c378a1cda23
Opcode Fuzzy Hash: 1323c964477fc94b5f04be71bbf3a296b810a08dfd62f9f098ca02c6b831ad62
Instruction Fuzzy Hash: B5C18B70E00319DFDB29DFA9C984AAEFBB9FF88308F10412AE505AB255D774A845CF54

Function 013183C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0fce57473387437be541ce0f780154886aac52e79dbf15271244969b329b5e
Instruction ID: bafd6fe5db629b674269b9216abcfaa2570fcbe11f2734e4213cd04c3a523ab0
Opcode Fuzzy Hash: fd0fce57473387437be541ce0f780154886aac52e79dbf15271244969b329b5e
Instruction Fuzzy Hash: 2CC14675208341CFE764CF19C484BAABBE5FF88308F44496DE98987295DB74E908CF96

Function 0130C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d3884bdf940750894e8440eb4db5c30b58174dec686310995b90ef91bc91c6
Instruction ID: 9af8bbf5315b6dad886e9d3a730f32db7a7dcdc9f9f763675286403acc89aec0
Opcode Fuzzy Hash: 89d3884bdf940750894e8440eb4db5c30b58174dec686310995b90ef91bc91c6
Instruction Fuzzy Hash: 25B19174A0026ACBDB75CF59C890BA9B3F5EF44708F0486E9D50AE7281EB31DD85CB24

Function 01350185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84d6bea4ef536ebc8d0425815f8c6bfc2e328227816f2e7218a623c5b89eb9b
Instruction ID: 0ae2f7798d17bdee005c932d89106ca15f6ff772ec744394f8c037fe26babb7f
Opcode Fuzzy Hash: a84d6bea4ef536ebc8d0425815f8c6bfc2e328227816f2e7218a623c5b89eb9b
Instruction Fuzzy Hash: EBA1B270B0071A9BDB69DF69C990BBABBB5FF4471CF044029EE45A7281DB35E801CB90

Function 013960E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825cc6740754be460bf818e3af9685eda0e7864b2f496f1e05d0af4a4b68af9d
Instruction ID: a892b3e06f47be9439261e55054c25542d5850fbcdcd13269804f0452da0efe7
Opcode Fuzzy Hash: 825cc6740754be460bf818e3af9685eda0e7864b2f496f1e05d0af4a4b68af9d
Instruction Fuzzy Hash: 0191C3B1D0121AAFDF15CFA8D885BAEBFB9AF48714F154169E610EB350D734DD009BA0

Function 013463FF Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96861fa8df6fb76397f63a952e687701db0b1d9d2023ad60f91f04a9c89a863a
Instruction ID: d0af5a6a5fab961bc5653c197960fba23ae9a857710b9e52b45153ee95d874e8
Opcode Fuzzy Hash: 96861fa8df6fb76397f63a952e687701db0b1d9d2023ad60f91f04a9c89a863a
Instruction Fuzzy Hash: D6912770B00316DBEB26EF59D945BAA7BE5EF52B2CF00412DE9017BB91D774A801CB90

Function 01320C00 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e582e9fcbceb298bb79f42f6441bb1078ff4e47b5fb0fe8b12598e8f2b139c9e
Instruction ID: 86437bf23d4acb78a759dd3e25151d74881c4ba720352b9364ffb4f0d7224b2e
Opcode Fuzzy Hash: e582e9fcbceb298bb79f42f6441bb1078ff4e47b5fb0fe8b12598e8f2b139c9e
Instruction Fuzzy Hash: 9FA1F77060072A9FDB2DEF28C49077AFBE5AF44718F148169E49A8B785D734E848C791

Function 013989B3 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8566fb1eeea69703d8d39a1b811b00dd38ec5a909f032c66975e8fe9c13fca5
Instruction ID: e4f3a327e4e7ce7e0975610fb287a35df879578ce4cdbda11620065638f2d861
Opcode Fuzzy Hash: b8566fb1eeea69703d8d39a1b811b00dd38ec5a909f032c66975e8fe9c13fca5
Instruction Fuzzy Hash: 3D91047164174AAFDF22EF2D8980B1AB7A8EF9571CF0544ADFA446F291C770AC408F91

Function 01344AD0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfc7d8694cf09daef3907c31215dd7aff42986eea0347ea578aec5dcdded864
Instruction ID: 2cd586044de804f82b991f02ac9e074822f14ecaa54e565e58b332adae10ab3b
Opcode Fuzzy Hash: ccfc7d8694cf09daef3907c31215dd7aff42986eea0347ea578aec5dcdded864
Instruction Fuzzy Hash: 65614436644712ABDB22DF1CC841B2ABBE5FF80B18F18852DE995AB741D730EC01CB95

Function 01366ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c443ad57271ae7000efe323570fa7fdecd78b81586040d7c6aa32ae4b09719
Instruction ID: 82fd8add6d29c7295993c9e12f6b4eaaf23e5555e5b6ae1fb1dccf6f759bd4ac
Opcode Fuzzy Hash: 06c443ad57271ae7000efe323570fa7fdecd78b81586040d7c6aa32ae4b09719
Instruction Fuzzy Hash: 1F81C5B1E0061A9FDB18CF69C841ABEBBF9FB48744F14852EE845D7644E334D940CBA4

Function 01306D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1056b3eafe50c8c1c3e35804943fdb68ea24ddd3e581d5bd15824b2608408d5d
Instruction ID: bab4cbaa29aa2ae2b7dd19442973b4197970de3155b63f35c93616c2cde29421
Opcode Fuzzy Hash: 1056b3eafe50c8c1c3e35804943fdb68ea24ddd3e581d5bd15824b2608408d5d
Instruction Fuzzy Hash: 2C719FB16047069FDF21CF19C980B6AB7ECFB5825CF04C929EA55D7608E730E954CB92

Function 0134E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c94e4242d078bea09897b2fe96d370267da2263d4810a9ccbdb94c13d13225
Instruction ID: 11d530fab8efd9e1df4ffaf9d763b92ab8ecf623532b9ba5e5c53ee5c6caedc0
Opcode Fuzzy Hash: d3c94e4242d078bea09897b2fe96d370267da2263d4810a9ccbdb94c13d13225
Instruction Fuzzy Hash: 67814C71A00609EFDB26DFA9C880BEEBBF9FF88358F104429E555A7250D734AC45CB60

Function 013164AB Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32491ae0e3a64310e63351f44308d99841d286afa003db294db51b09f7f22d55
Instruction ID: bd274d8456237dc59a0669d17de0e17c0732a50d685c26fb26b106f708b1c389
Opcode Fuzzy Hash: 32491ae0e3a64310e63351f44308d99841d286afa003db294db51b09f7f22d55
Instruction Fuzzy Hash: DB71ADB1904305DFCB21DF58C885F9B7FA9AF95B68F000468F9498B28AD774D588CBD2

Function 0132C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4641d1973e792670dbfdcea30bd26ec940e4532fc848e4a1e4f4f387a529542f
Instruction ID: 4e6e080cc0d2a53a560da6875504757f360df1f5f762a27e81eb81aca31a0b3f
Opcode Fuzzy Hash: 4641d1973e792670dbfdcea30bd26ec940e4532fc848e4a1e4f4f387a529542f
Instruction Fuzzy Hash: A171DB75C00229DFCB369F59C9907BEBBB5FF48718F14415AE846AB750E334A800CBA0

Function 0134A660 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab24d39a02dfed3672687f1f750a21691c037132c0c88ba620ba2287c3f6aa0b
Instruction ID: 2255fc6bfe0524899c4b35aa3065f17559258cab59cd398ad923992917c392d7
Opcode Fuzzy Hash: ab24d39a02dfed3672687f1f750a21691c037132c0c88ba620ba2287c3f6aa0b
Instruction Fuzzy Hash: 10717FB5E0031ACFDF28EF9CD5916ADBBB1BF88718F14812EE50AA7241E7319941CB50

Function 0139035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction ID: 7232896cd0fa68624815057e4e467377ada6eb892b24de72dcd442b1f077ad46
Opcode Fuzzy Hash: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction Fuzzy Hash: FD716C71A0061AEFDF14DFA9C984AEEBBB8FF48718F104569E505E7250DB34EA41CB90

Function 01318AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5182cbbbf71b1932314af675f656c33c7e3887f6234eece5a6b190053a2d2cc9
Instruction ID: 777bb77add82927864fd235e0002b3915aab2897e2b82c93a84ecdd006c2d07e
Opcode Fuzzy Hash: 5182cbbbf71b1932314af675f656c33c7e3887f6234eece5a6b190053a2d2cc9
Instruction Fuzzy Hash: 9781C072A043158FDB29CF9DC584BAE77B5BF48318F19416DDA00AB695C738DD40CB94

Function 01320A5B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34aad1e8321293c6ea3b185de82e95cc4c5bb16642ac7719577b2ccc6b3844fb
Instruction ID: c5a2186dba3f88ab5be788f7acc05285769a554d2e48d134d2e921a32c06487b
Opcode Fuzzy Hash: 34aad1e8321293c6ea3b185de82e95cc4c5bb16642ac7719577b2ccc6b3844fb
Instruction Fuzzy Hash: B161CC70600306DFEB2DDF28C480B6ABBE5FF44708F14856AE4998F692D774E885CB91

Function 0130CF50 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db7ced273f109870a3119fbeff8411b08063341be5324f50c129b50302a2ba0
Instruction ID: ec34a279d324742baee1ca8dd30e99a21c6c71520076442de7238f7073962410
Opcode Fuzzy Hash: 5db7ced273f109870a3119fbeff8411b08063341be5324f50c129b50302a2ba0
Instruction Fuzzy Hash: 0E71BC71500B028BD7339F68CA10B22BBE8BF943B9F144B6DD9D2039E2D334A845CB41

Function 013261D1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03cf051d22082657584df9648dea4cac578c848f8a5e296a90c701901f1a00e
Instruction ID: 7a1671f3bb1dfeb33cd292a064188bdcd5b7e8a2457837d32ae9b26cb31ac96b
Opcode Fuzzy Hash: f03cf051d22082657584df9648dea4cac578c848f8a5e296a90c701901f1a00e
Instruction Fuzzy Hash: C871D1B4A016368FCB26DF58C8517ADB7B2BF85308F24451CDD96AB381CB34AD42CB80

Function 0132E413 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fbdd261a7e474a46850b9c103e5da93300ed77a22d5ee25fcf459c3851da10
Instruction ID: fa9994042218d41ca58f6229625898864c4c2460eb599fa24ad7cdb70aedd3aa
Opcode Fuzzy Hash: 48fbdd261a7e474a46850b9c103e5da93300ed77a22d5ee25fcf459c3851da10
Instruction Fuzzy Hash: 2B612331A00626CBEB24EB2DC841B79BBA1FF9572CF194169EE05EB390E638D841C751

Function 0138E6F2 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66aa57af6c62f038481050d81ddbe49abc2b8c185b28b96b25d2d5763eb4af29
Instruction ID: e1b8d81c01094ce8bbbab7bb31c6f7eb75bb06210427d030e440f8921849f329
Opcode Fuzzy Hash: 66aa57af6c62f038481050d81ddbe49abc2b8c185b28b96b25d2d5763eb4af29
Instruction Fuzzy Hash: 18615D71E103199FDB14EFA9C840BAEBBB9FB44708F54407DEA49EB251D731A940CB50

Function 0133ED25 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11b5cf8497647d5982682b5f78e6de65b462c0696bc74bc72d5c3006cc48ae8
Instruction ID: 7105365080c48bf89b750a2361a0c646f9e7e88abd17ab371a0a63f8ce1b7935
Opcode Fuzzy Hash: b11b5cf8497647d5982682b5f78e6de65b462c0696bc74bc72d5c3006cc48ae8
Instruction Fuzzy Hash: 8351DD71200702DFDB31EF6DC884A6BB7A9FF8461CB104A3AE40A97A51DB74E845CB94

Function 0131AC50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb335f70b396407c77004f555e0597f013c2c7509ddb3393e308029d7368b532
Instruction ID: f0430df37b58a3f6efc7218bbacf7b685ee763a721058bfeaac3d693d8001abe
Opcode Fuzzy Hash: eb335f70b396407c77004f555e0597f013c2c7509ddb3393e308029d7368b532
Instruction Fuzzy Hash: 7B61F471A05A899FEB2ACFACC850B9DB7B4FF0471AF040029E901EB695D778D900C760

Function 01352160 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317fcd654b0a8bd4a7d25339f45ee5517cd00d14acde7bc8908626281fa7b76b
Instruction ID: e2597fdeb01add1f3c7dbbbbbcae5057b342798a606069dafa7c6f53d3202627
Opcode Fuzzy Hash: 317fcd654b0a8bd4a7d25339f45ee5517cd00d14acde7bc8908626281fa7b76b
Instruction Fuzzy Hash: D0514D71A00709DFDB54CF9CC840BEEBBF5BF48758F24822AE925E7284D334AA418B50

Function 0133CDF0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction ID: 9c59b5924890ca161cd912f55f17cb66afda5442e3452cb83d7387847e6ad64b
Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction Fuzzy Hash: 3A51437AE0064BDFCF24CF9CC5806EDBBB5FB88219F1981BAD915B7240D6389941CB54

Function 0133EDD3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de07d8616b996a306214c38eec971e8e160c0aab57bc3b049218b6a319caedf
Instruction ID: 695fa42fa13fda93607d5a6778fc776abf7b2a0defe1b636500df1873c49e87b
Opcode Fuzzy Hash: 7de07d8616b996a306214c38eec971e8e160c0aab57bc3b049218b6a319caedf
Instruction Fuzzy Hash: 2E51DD70200745DFDB31EB5AC884B6BB7A9BF8471DF10492DE10A97A51C7B8E844CB94

Function 0134E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5048ddf2475fcc4bfbd415682374444c3197fc08abffe3e1d467f79c691fd455
Instruction ID: 7e5203ca0a0f1099c35fd667c4ab2e9f2e2f88258a5cd13fa275150d671c3e69
Opcode Fuzzy Hash: 5048ddf2475fcc4bfbd415682374444c3197fc08abffe3e1d467f79c691fd455
Instruction Fuzzy Hash: 5F514971200A29DFCB22EFA9C980F6AB3FDFF58658F410469E64297660D738F940CB50

Function 013345B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction ID: 89e1902e2f2dd7386e54ab22257a47a87f38f217c40d41e1869002b212bce54e
Opcode Fuzzy Hash: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction Fuzzy Hash: 01517F71E0021AABDF16DF98C440BEEBBB9AF85758F044069EA15BB340D774DD44CBA8

Function 0139E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9665390a88f78437e966ecde2bd2c7a392ad05d7be6e07c3e2ba87be0171c2e0
Instruction ID: 85ebcc95a22ea95793f050c722a1f47fc1ce048e31ffc9957587b332c901e798
Opcode Fuzzy Hash: 9665390a88f78437e966ecde2bd2c7a392ad05d7be6e07c3e2ba87be0171c2e0
Instruction Fuzzy Hash: 3F51A531D0421AEFEF21DB98C894FAEBB79AF0072CF154675D92267290D7749E408BA0

Function 0132E627 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7578d061e33eca525875a3a96bea5cca576f401d1f9b7a4aa3e619cbf70d2a3b
Instruction ID: 4b18cb9658fdd3f8a5e9ccd8a07444c64606056501def190ad55427c18aee739
Opcode Fuzzy Hash: 7578d061e33eca525875a3a96bea5cca576f401d1f9b7a4aa3e619cbf70d2a3b
Instruction Fuzzy Hash: 7A4180725183229BD721EA7DD841B6BBBECAF88B1CF44093DFA84D7180E674D904C796

Function 0139CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8eec95d9e5ccd9b2a26b616c5c66241f13b9a982e570d84313a37d4340ae3b
Instruction ID: 22410fa0ac65e47a728892fa82ba02bf4fad22c05eada15ca116646bfe8a9ba5
Opcode Fuzzy Hash: fb8eec95d9e5ccd9b2a26b616c5c66241f13b9a982e570d84313a37d4340ae3b
Instruction Fuzzy Hash: 39517A7690121ADFCF21DFA9C980AAEBBB9FF48358B515919D906A3704D730EE01CF90

Function 0134CC00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e909eb8b3163d19fd21e54b9d4d1f7e77fecd77aa5172972afad511015765e68
Instruction ID: 9701717a90cbb3b89245fc003087071c8749c70a41311e5b363cd53929ed251c
Opcode Fuzzy Hash: e909eb8b3163d19fd21e54b9d4d1f7e77fecd77aa5172972afad511015765e68
Instruction Fuzzy Hash: 7C51E37460230BCBDF269F2DD5807267BD5EB4225DF18A479E906CA161D630EC83CA5A

Function 0134A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e9948c09f17ace33eaf6b17a4edafb5e8776e7725b1c7a707d56a22c0f7331
Instruction ID: 367a43920812af65ffb1c2f84c5d8cb994cbbba450efaee37972c335e5da0efa
Opcode Fuzzy Hash: b4e9948c09f17ace33eaf6b17a4edafb5e8776e7725b1c7a707d56a22c0f7331
Instruction Fuzzy Hash: A9412971640305DBDB26FF6EDA81F6A37A4AB5471CF01046CEE4AAB362D771A800C790

Function 013401F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34acb2ec4a49f8caae59b89f4568f3c373604dbd3b5ec99c971e5d017a57ee5
Instruction ID: b0896a738bf96c0d4cd5e4c0ad4be8bbf48b0641456dac24c43a31b83aa2412f
Opcode Fuzzy Hash: f34acb2ec4a49f8caae59b89f4568f3c373604dbd3b5ec99c971e5d017a57ee5
Instruction Fuzzy Hash: FE41AD35A00219DBDB18DFA8C440AEEBBB4BF48718F14816AFA15F7390D735AD45CBA4

Function 0130CDEA Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fed07ccff404fd1f267139bff13cbed08bdfe6fe1b38a5460d23110b795e9b
Instruction ID: 4aa36099fbb36426f8cae5e45948464a96bd19e75bcbb59b1b32d62e698574bc
Opcode Fuzzy Hash: 16fed07ccff404fd1f267139bff13cbed08bdfe6fe1b38a5460d23110b795e9b
Instruction Fuzzy Hash: 7C41C172D00219EADF25DB9CCC90AEEBBFCFF44628F10815AE615B3254D7309A41CB50

Function 01352750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction ID: 374c96dce9ae115048111d78f8004454eada2c411334f255dcf719bbbdd1654d
Opcode Fuzzy Hash: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction Fuzzy Hash: C2517B75A00219CFDB15DF9CC480AAEF7B6FF84714F2481AAD915A7351D770AE42CB90

Function 01316154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca49b32b0cc82a5753ddb136855b617440bc0af041577b79ae3852dfa29ab01
Instruction ID: 3544350d625e6a42fbc31a453df54081c924b163fa0665516b150a2992ec9117
Opcode Fuzzy Hash: eca49b32b0cc82a5753ddb136855b617440bc0af041577b79ae3852dfa29ab01
Instruction Fuzzy Hash: BC5126B0900216CBDB3A9B68CC01BE9B7B5EF0530CF1482A9E51AA76D5D7785981CF40

Function 01310BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2e19265bf1e976d5b742f6bb0ed8bc1ed90c0c1925367f46ccfb9bc23a88fe
Instruction ID: b31f15f9f218e8e9047b18cda00ee67049cfe57727c7ce2437377c2a2f652a77
Opcode Fuzzy Hash: 7f2e19265bf1e976d5b742f6bb0ed8bc1ed90c0c1925367f46ccfb9bc23a88fe
Instruction Fuzzy Hash: D941AF35A00228DFDF25EF6CC940BEAB7B8EF58754F0140A5E908AB245DB749E85CF91

Function 01310D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d068901da8e812daad4e95e8f604e2b9f24b47280124c3838d80c822e3b8d251
Instruction ID: da756cc6f55257df2e9ee09dbd7cae38bd5968f905cc830aa4476bda607b72a7
Opcode Fuzzy Hash: d068901da8e812daad4e95e8f604e2b9f24b47280124c3838d80c822e3b8d251
Instruction Fuzzy Hash: 8B41F5756007189FEB29DF29CC80FAA77ADAF45718F00449AF9499B285D770DD80CB61

Function 01346F60 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b5bc6a197dc01824761e266717da85543a2c2618dbf9b7e4ffd457628957e4
Instruction ID: c41dcb7eaa9bd12163730a7c61b06359804ad2af261c16274db0a9b235306ffd
Opcode Fuzzy Hash: c0b5bc6a197dc01824761e266717da85543a2c2618dbf9b7e4ffd457628957e4
Instruction Fuzzy Hash: 795137B5A0070ACFDB11DF69C480B9ABBF1BF48718F11882ED96AAB750D775A904CF50

Function 0138C730 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275b8ed99e8b83d61fe74c1c95608208aebfff3d6a42162a16827263d5ca97b1
Instruction ID: 6e91d407c4b60109bad27c0c20fc4cf48c1a072108425d7096411f81d65e585d
Opcode Fuzzy Hash: 275b8ed99e8b83d61fe74c1c95608208aebfff3d6a42162a16827263d5ca97b1
Instruction Fuzzy Hash: 0D4125B1D5062DABDF21EB64CC84FDEB77CAB54718F0045A5EA08AB140DB709E498FA4

Function 01310887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a84aa649768ca90813c7d10379d45abb74299d2315e59d579779fb795ec635
Instruction ID: 1183e16d55848b17db3fc2f0c567a77de9385c6df8db6ea371ce6971c242bee7
Opcode Fuzzy Hash: c6a84aa649768ca90813c7d10379d45abb74299d2315e59d579779fb795ec635
Instruction Fuzzy Hash: 3B41C5716007059FD72DDF29C990926BBF9FF48318B108A6DE55787A68E730F485CB90

Function 0133A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f524cdb72344bd62eb48babf4d9624a510dfbfb90bdf9326e7d57fe943dda9
Instruction ID: 455bc028a1562fe97c06985f1d09cca04abb39b47b98070a346aad863bf13065
Opcode Fuzzy Hash: e3f524cdb72344bd62eb48babf4d9624a510dfbfb90bdf9326e7d57fe943dda9
Instruction Fuzzy Hash: E541E231A00219CFEF22DF6CD9947AD7BB4FB98358F0401A9D551B72D1DB349900CBA8

Function 01318BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025b0598c53b33c1c8d2c5035261cbdbd730c9f232e618f6c01b1323081f77de
Instruction ID: 0bd1bed1594077c7c26dafa831b2cff6867123bde302ecaac92f049aa8444503
Opcode Fuzzy Hash: 025b0598c53b33c1c8d2c5035261cbdbd730c9f232e618f6c01b1323081f77de
Instruction Fuzzy Hash: F6412931A00306CBDB29DF5DC980A9ABBB5FF9470CF18816EEA016B669C735D841CF94

Function 01308918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940c26aa23e820ec56da1cb5776e9d31b3cd9a193757e5d7be127390c4fc6dbe
Instruction ID: 6c558b3e0298ec6e6638c7576349a0ec9d91ed716dffc69a53041368452db9cb
Opcode Fuzzy Hash: 940c26aa23e820ec56da1cb5776e9d31b3cd9a193757e5d7be127390c4fc6dbe
Instruction Fuzzy Hash: 694162319083169ED312EF69C850A6BF7E9EF88B58F40092AF984D7150E730DE048BD7

Function 0130A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 95beef8788f7301d620230d72c4938c1a8d1d26e78213cc75c390da097546370
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: EF412631B04319DBEB12EE1C94607BAFBB9AB5075CF15C06AE944CF289D6328D44CB90

Function 013109AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9323a94a04f0789ae1d31ab618ce41f18f1cd2c46a8d7064bbf9e5f5ead7bf6
Instruction ID: f16a815ccbda2c53aff80d31eeb6f7960f54241ab80bfb422871d3a49168fb3c
Opcode Fuzzy Hash: e9323a94a04f0789ae1d31ab618ce41f18f1cd2c46a8d7064bbf9e5f5ead7bf6
Instruction Fuzzy Hash: 01418F72640701DFE729DF18C840B26BBF9FF54718F20896AE449CB255E771E981CB90

Function 01340710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction ID: 031f14abe367d00179574a2503ee014227d96db48670ff86ceb50c70b7576ea1
Opcode Fuzzy Hash: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction Fuzzy Hash: 6541F871A00605EFDB28CF98C980AAABBF8FF18708B10496DE656D7651E330FA44CF51

Function 0130C156 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0e6a6f2a86431822621bbb0d430acbc4373084821a90f5b9c408dbe4554d1d
Instruction ID: 06b6a1a57d820ee0bd5355ead17ffd1233a19957bbba22e8bf8bdac9b59da560
Opcode Fuzzy Hash: 7c0e6a6f2a86431822621bbb0d430acbc4373084821a90f5b9c408dbe4554d1d
Instruction Fuzzy Hash: 84412E71A002158BCB21EF5CCC40BA9B7B8BF5130CF54C569ED899F386DE759946CB90

Function 0131A2C3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b9ca1f909e69289bcad800620b90e8433c7b48479452b99cf3f483781ae67b
Instruction ID: 40a84369eb735d7986a502732d5edba44901ee8c1b09c6a5b1bdae6e48f6b5ca
Opcode Fuzzy Hash: 36b9ca1f909e69289bcad800620b90e8433c7b48479452b99cf3f483781ae67b
Instruction Fuzzy Hash: A441D170A05699CBDB29CF6DC440B6EBBB4FF84708F144465E905DB255E3B9DA00CB50

Function 0134C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d96fbba6ed5d79ffa7bf563ed4ba72be8661cb460528a2b6d4af617316e477
Instruction ID: 632d4fc48cd3d45e8f5b1a5a043975836654cf7a8581d422e7fd7b1622cd53c2
Opcode Fuzzy Hash: 83d96fbba6ed5d79ffa7bf563ed4ba72be8661cb460528a2b6d4af617316e477
Instruction Fuzzy Hash: 283179B2A01355EFDB52DF5CC440799BBF4EB09718F2085AED119EB291D732A902CB90

Function 013080A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb270b80af672c672269fcf99543a0d8d4abd758dee6b17329dd65ba5adf978
Instruction ID: c395a7547dcd59258f9a44c9d5de3423e19c5025cd724b71188f34e199f9dcee
Opcode Fuzzy Hash: 4eb270b80af672c672269fcf99543a0d8d4abd758dee6b17329dd65ba5adf978
Instruction Fuzzy Hash: E541F071E0461AEFCB0ADF18CC506A9B7F5BF14768F2482A9D816A76C0D730EC418BD0

Function 01308B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0ab72d848ddd766b8977ac588e4b4363faec362abf267c923c600e17f6cd30
Instruction ID: 78841b3cb6fd6460eca0b80fb6bc8143e0dbdae0df113bac8dd8a9f9ac764216
Opcode Fuzzy Hash: af0ab72d848ddd766b8977ac588e4b4363faec362abf267c923c600e17f6cd30
Instruction Fuzzy Hash: E3418E71E01619CFCF16DF6DC99099DFBF1FF98328B1086AAD466A7290DB349941CB40

Function 01342674 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5384b7c155f1d1a6f3bc5b615c05b4e564e50788d35b263739401633aefedc81
Instruction ID: 863cbfc03eb0f6577a6d3d71ed49b84885ffd2c712dd56f289c1906610f61a74
Opcode Fuzzy Hash: 5384b7c155f1d1a6f3bc5b615c05b4e564e50788d35b263739401633aefedc81
Instruction Fuzzy Hash: CB31053AB403157BEB21DB9A9C45F5BBEB8DF64A98F15006DFB04B7241D270AE00C6A0

Function 0138CCA0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d36bdd69ed57286a99e1d709dd728d6f7eedb05bfabecc2166012e0d1548d8e
Instruction ID: 76f32eb5aef8a76bcefd4aaeb7b4a3166b95ac756f987f84253f22ecb49756e5
Opcode Fuzzy Hash: 0d36bdd69ed57286a99e1d709dd728d6f7eedb05bfabecc2166012e0d1548d8e
Instruction Fuzzy Hash: 68316F32940619BBDF22BF98CC50FEEBBBDEB54754F110169FA00AB150D6749E45CBA0

Function 01308CD0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a323c03fd9527a48982b023506e6f93371f9514288675ebb20c3b3d33a1a60
Instruction ID: 33f9dfec5720a77d3ea3f6ffd2a5e2bbfa80681eacda4896645a1956dcf58619
Opcode Fuzzy Hash: a2a323c03fd9527a48982b023506e6f93371f9514288675ebb20c3b3d33a1a60
Instruction Fuzzy Hash: 8331C472D00215DFDB22DF1CC850A6ABBF5FF54328B2486AED455A72D0CB319D41CB80

Function 013202E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction ID: 7db9b0e2e557485a96b4fd4e5d9e5d0059ef92cfbec547b4ffe41e1dab808b16
Opcode Fuzzy Hash: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction Fuzzy Hash: 79312532A04255AFDB269B6CCC80BABBFE9AF14758F0441A5F855D7352C2749888CBA0

Function 013226EB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction ID: 95f72c531297b0c47fcd881de5fd79884746de9a3946b526186f3f21aa02cfba
Opcode Fuzzy Hash: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction Fuzzy Hash: CA41F5357082528FD326EF1CC894B27B7E6EF94318F0484AAE8548B352DB38DC45C7A1

Function 01314260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699b88e3447d17c0764389bf6bde13b52c82ae8d74b9ca55f7bdcbef31aab2a0
Instruction ID: ab600faa369e8d13323cba6be207c8d3564e91a108339c2d0b56065dac5f3138
Opcode Fuzzy Hash: 699b88e3447d17c0764389bf6bde13b52c82ae8d74b9ca55f7bdcbef31aab2a0
Instruction Fuzzy Hash: 4841B132200745DFD72ACF28C984FDA7BE9AF49758F01482DEA5A8B260D774E814CB90

Function 0138EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc498615d535032e162b3c11d2019dfb47b616f162ead19903a357cb7630133
Instruction ID: ca77bb2690a3ababb41d2634f2e96d829a03a08043a5fb01721b931cf8ac02c4
Opcode Fuzzy Hash: 6cc498615d535032e162b3c11d2019dfb47b616f162ead19903a357cb7630133
Instruction Fuzzy Hash: 393190326097969BF727779DCD48B657BE8BB45B4CF1D00B0EB459B6E2DB28D840C220

Function 01316484 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a8eba01c49e54491d9edac1949bc0b0b5b59c346c858f61ce841796955831b
Instruction ID: f72b9c3a2e97d153c5d44ee5fc80eeceb2131b27072db77c7592a3b8daf4a989
Opcode Fuzzy Hash: a7a8eba01c49e54491d9edac1949bc0b0b5b59c346c858f61ce841796955831b
Instruction Fuzzy Hash: BB31E572600785CFDB76CF28C582BA277A1EF01B18F108479EC488B64AD779D849CB81

Function 0133EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ddeb443c2fa01f9a686bcacf84b7945fc7c0a2c2993ee6e5b9a10f8a19edf9
Instruction ID: 83b3808d18c4a60027b90d5f5fe3707e951e55d66f569edd35cbd33a603ec580
Opcode Fuzzy Hash: 23ddeb443c2fa01f9a686bcacf84b7945fc7c0a2c2993ee6e5b9a10f8a19edf9
Instruction Fuzzy Hash: C531A472E04219AFDB32DEADCC40AAEBBB8EF48754F014435E926D7250D2749A008BA4

Function 013107AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8aadf534a83bcdb923a5670ac27756e28327b1371c8b50c591d221d2b288b38
Instruction ID: 61177bace0d6fd6ae04589edbe4ae0dd9a379b2f4d443e9f0a57bf11a24f00cb
Opcode Fuzzy Hash: e8aadf534a83bcdb923a5670ac27756e28327b1371c8b50c591d221d2b288b38
Instruction Fuzzy Hash: F7312732A08316DBC71EEE688880E6BBFE9EFD4258F014529FD5597318DA30DC518BE1

Function 0138CA72 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b473cf739f85c5ea27b68e45598245c14e1a22f3ace3910794cd25695d8a4a3e
Instruction ID: 3b25f37d393ef415730ffa1bb9f98d6d3b3d0ca8c6dc4ffb6794858a294930c7
Opcode Fuzzy Hash: b473cf739f85c5ea27b68e45598245c14e1a22f3ace3910794cd25695d8a4a3e
Instruction Fuzzy Hash: F831E336900A19AFEB16EB5DC855EEFBB74EB80728F014129E905A7251D7309E04DBF0

Function 0133AF69 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eaeec3c939787effa1f3e34c8c704e879544df64b6be5b9bdeb8ca8e8812bd
Instruction ID: d3e331735b139e9ed0434a45e8d7516fd89e45df678df18527c6107e4d62e16d
Opcode Fuzzy Hash: 03eaeec3c939787effa1f3e34c8c704e879544df64b6be5b9bdeb8ca8e8812bd
Instruction Fuzzy Hash: 03316435A011299BDB319F698C48FAFF7B8FF84648F0500A6E809E7254D7349E85CF55

Function 0134A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction ID: 9f17ff7447d2622eba900155e1a4596a05b639147f0ad7e5159ad68e621e7a83
Opcode Fuzzy Hash: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction Fuzzy Hash: 653116B2B00B01AFE771DFADC941B57BBF8AB08A54F04492DA59BC3651E630F900CB60

Function 0133438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676d96e966ca15fc4f7a0cd131650616b673fcaddf2676779f6e26e42c39fda6
Instruction ID: ac9dba69c9f91c1c994899c226d6f830e2f05b6460a94f888efef3014bf9cc60
Opcode Fuzzy Hash: 676d96e966ca15fc4f7a0cd131650616b673fcaddf2676779f6e26e42c39fda6
Instruction Fuzzy Hash: B931D432B002059FD720EFA9CA85A6EBBF9AFC470CF008539D646E7654D734DA41CB94

Function 0130CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c690a574d208988890aca6b69b9da58949f77535854b98400e500bc46297e2d
Instruction ID: 6c8ae6b057b07722acfc5eff4ee37688f39590843884089d2afef9ecc29a82d0
Opcode Fuzzy Hash: 1c690a574d208988890aca6b69b9da58949f77535854b98400e500bc46297e2d
Instruction Fuzzy Hash: 6F210432E4025AAADB11DBB9C810BAFBBF9AF55744F1581759E15F7380E270C90187A0

Function 0130E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b0c814f72003070887ea6ecc8d2b2b3214c037968bcae0b895e85bf75ac5df
Instruction ID: e3c1e3e7c1c32184f31839d2107638bb88eb166b28576045600c8f139e876914
Opcode Fuzzy Hash: a8b0c814f72003070887ea6ecc8d2b2b3214c037968bcae0b895e85bf75ac5df
Instruction Fuzzy Hash: CA31C232B0012C9BDB369E18CC51FEEB7B9EB15758F0108A1E645A72D0E6749E808FA0

Function 01344588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef98d79d942c89cfc48283b2190d39f6c140f3f251631ee5cd557d4e3ce43567
Instruction ID: bd863a342af935314a48a961ab3578164139fe06894c249269adae30eb05e320
Opcode Fuzzy Hash: ef98d79d942c89cfc48283b2190d39f6c140f3f251631ee5cd557d4e3ce43567
Instruction Fuzzy Hash: AA219131A00609EBCB51CF58D980B8EBBF5FF48728F108479EE159F241D674EA058B90

Function 013444B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913bc075042bdf3f1c1412d6dc85bac4967f29ca33c808ce2cd57d64883da1b4
Instruction ID: 4d04875897833434f524ba817c0e3755476c4e95f36877789a501cd01397c535
Opcode Fuzzy Hash: 913bc075042bdf3f1c1412d6dc85bac4967f29ca33c808ce2cd57d64883da1b4
Instruction Fuzzy Hash: 0421DF72604745DBCF22DF18C980B6B77E8FB88768F004569FD489B640D730E9018BE2

Function 0130E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction ID: d274894c43597d00c8c4f1105f1cfbc297c95e30a3600e186d1981f753ec161c
Opcode Fuzzy Hash: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction Fuzzy Hash: F3319A31600608EFD722DFA8C894F6AB7F9EF85358F1049A9E5529B681E730EE01CB50

Function 0138E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e987b175bc2a49eb62e20b16e38e503aa747f17012369e182719f90fb814a8b5
Instruction ID: b0d8190312803969826cfd58b0d69a282ab5949cedf32f7c50314bc2d75d8576
Opcode Fuzzy Hash: e987b175bc2a49eb62e20b16e38e503aa747f17012369e182719f90fb814a8b5
Instruction Fuzzy Hash: A031A075600306EFCB15DF1CC8849AEB7B5FF8432CB154469E80A9B391E731EA50CB90

Function 01338CB1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c373f40f11054e4cb368a98f1bc1e52e815c09943ca18915a9fb282ad2f2c690
Instruction ID: 4f49bb5b622d004f2a0728827c3dd3b39b83360792e06083f2b362c703ecd4ac
Opcode Fuzzy Hash: c373f40f11054e4cb368a98f1bc1e52e815c09943ca18915a9fb282ad2f2c690
Instruction Fuzzy Hash: 73212936501129EBDF329A9DC848F5BBBBDAFE1AACF054162FA059F114C634DD018BA4

Function 01318D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 2bacdb46678d03a9db05c4c79ab1e5f409ace978c963af1e2d5ca8bad9a7ae64
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 46212532A056859BE73A972DC914B267BF8AF4475CF0904E4DE42A7AD2E76CDC41C210

Function 013906F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ac9ebbf1af36415efd3ca8133630043c8ce4dd8e33b7d8d3af70d95892bf9f
Instruction ID: a7e3b18a8ef095d7d898dc7e535663ff87bbd403a47c3bf58b79d84f019153a7
Opcode Fuzzy Hash: c3ac9ebbf1af36415efd3ca8133630043c8ce4dd8e33b7d8d3af70d95892bf9f
Instruction Fuzzy Hash: 83219175900129DBCF25DF59C881ABEB7F8FF48754F500069F941AB250E738AD41CBA0

Function 0139019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34236e1d1fe7998aa69903816323b3af4b7432a236f46a469cb1430b9f89efbd
Instruction ID: 61be0dc968745491f888dfdf25e751c76a218c7ffc6de9cc6b4e47f40fe3c2e2
Opcode Fuzzy Hash: 34236e1d1fe7998aa69903816323b3af4b7432a236f46a469cb1430b9f89efbd
Instruction Fuzzy Hash: 2621BC71600615AFDB15DB6DC840F6AB7B8FF48748F1400A9F944DB6A1D638ED00CB64

Function 01390283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439ac9826f80d9245b80f3ac12b55b3894d1ed152119a046906ebcd17572f43c
Instruction ID: a6326650228b992a8eb208dba999c913e73160c24d961b6cff5e7541f78d0357
Opcode Fuzzy Hash: 439ac9826f80d9245b80f3ac12b55b3894d1ed152119a046906ebcd17572f43c
Instruction Fuzzy Hash: 5A21F2729043469FDB16EF9DC844B6BBBECAF91248F080456FE84C7261D734C904C7A2

Function 01332835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05596d219224174cf26fbfb08623a19b29d6c95f6076e4c8d51dad0346ddadc3
Instruction ID: 5f8b7d5a9daa81fd440c5479349a0a6202ef18d6038b776f19bfd5240d117352
Opcode Fuzzy Hash: 05596d219224174cf26fbfb08623a19b29d6c95f6076e4c8d51dad0346ddadc3
Instruction Fuzzy Hash: 7521F6316096959BF736676C8C14B297F98AF8577CF280360FA209FAE2DB6CC8418244

Function 01316C50 Relevance: .1, Instructions: 73timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01316D8C

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction ID: 4e281d3047177c20956e21f98e373e050d182c39deb953e7a4ea9ce453d761a8
Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction Fuzzy Hash: B93188B6600604CFCB25CF58C180B26BBF9FB48718F2484ADE9498B756DB35E942CB90

Function 0134A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec1ae2ad709cb52febbfb8a534d13f0c4e58a4f3ff0f4f609059b468c8aceff
Instruction ID: 95e876b4e34120ffed7faddfb0e4810ed431a790c1d03ac649ea327a2978fe2d
Opcode Fuzzy Hash: dec1ae2ad709cb52febbfb8a534d13f0c4e58a4f3ff0f4f609059b468c8aceff
Instruction Fuzzy Hash: E9216875241A119BCB25EF29C901B56B7E5AF48B08F248468A50ACBB62E371E942CB94

Function 01390946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e70882859af23f673cf7d05bbd86e8ed81ec602225e92729bd1ce83abfc6e59
Instruction ID: 8f719e5decddcd6b0a04fd2004faf9a8f1c2072883cdf2c3b6486726386bc3e0
Opcode Fuzzy Hash: 7e70882859af23f673cf7d05bbd86e8ed81ec602225e92729bd1ce83abfc6e59
Instruction Fuzzy Hash: AE21C4B1E00209ABDB25DFAAD9819AEFBF8FF98714F10012FE509A7254D7709941CB64

Function 01320BBE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e51800e09f10f61166e0b6cae41cbab4ea3242de32a13bd9081ee3cc7d5f969
Instruction ID: 06f8bf80dab847b524840f27cdd25a2b7e1225a168200f5717de30363a536523
Opcode Fuzzy Hash: 6e51800e09f10f61166e0b6cae41cbab4ea3242de32a13bd9081ee3cc7d5f969
Instruction Fuzzy Hash: 861103313651169FDB3EEB18C454B36B3A8EF4061EF18812DF406DB691DB38E848C750

Function 01340124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction ID: 9b667eccf0d4b16b838009a7901ef04d2ea1985377838887e01c229acc67da5a
Opcode Fuzzy Hash: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction Fuzzy Hash: 0A11BF76601605EFE7269F58CC41FEABBF8EB80758F104429FB059B190D671EE44CB60

Function 01318770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ada528c11b3a9a161c55bb1f39e00b6c1a358619ca78f4502f1a7b66e12d070
Instruction ID: 2b22f7f56ecddaf1b90cd8c605852f1b395c7bf6da17d0be19777340e6ab15b2
Opcode Fuzzy Hash: 6ada528c11b3a9a161c55bb1f39e00b6c1a358619ca78f4502f1a7b66e12d070
Instruction Fuzzy Hash: 141104327016119BDB19CF4DC4C0A56BBE9AF8A718B1840BDEE089F208D6B2D911C794

Function 0134AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction ID: cec203955037181660861a74f21244481cbb91258c0a745084a98c464e52249b
Opcode Fuzzy Hash: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction Fuzzy Hash: 16218B72680645DFDB329F4EC540A66FBEAEB94B18F14887DE94A97B10C730ED01CB80

Function 013180E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7615985c6b520abfc03a007b63807f323e30ce1dc1a7bcb3064e77b9a787e008
Instruction ID: 2c6674988a670d72fd73b7fe002a68c3f3e589203c05d9ad3c10a4cae4f5ef56
Opcode Fuzzy Hash: 7615985c6b520abfc03a007b63807f323e30ce1dc1a7bcb3064e77b9a787e008
Instruction Fuzzy Hash: 8D216F76A00209DFCB18CF58C581AAEBBF5FB89318F2441ADD505A7315CB71AD06CBD0

Function 0134674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fbf7b6d90a355459fe28896ca0a16cd4ed91ff0ce4e0e19188517e1cd5896b
Instruction ID: b6c918f77040521b768e011fc7ac4a785851ca4b2825ac13bc6aa89ca41e4cf5
Opcode Fuzzy Hash: a8fbf7b6d90a355459fe28896ca0a16cd4ed91ff0ce4e0e19188517e1cd5896b
Instruction Fuzzy Hash: 55218EB5500A01EFD721DF69C841F66BBF8FF85254F04882DE59AC7650DA71B950CB60

Function 0130EA80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53256c9c5393d0d990cdfd54ea081ed503aeba107dbe51c469e9ffb6209c485e
Instruction ID: 12b347fe48c65fc944f04abe7265dfb2692b4000e0a9865a78cae87c73e2747a
Opcode Fuzzy Hash: 53256c9c5393d0d990cdfd54ea081ed503aeba107dbe51c469e9ffb6209c485e
Instruction Fuzzy Hash: F61181B16017559FE3219F2AC984E57BBF8FF59758B00893DE54A87624D770E804CBA0

Function 0133E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b608a062baf16b35cd6f94052115b649097e7dc85e07545b655fdfac7c8775
Instruction ID: 74a5f3a66626c7a7da640773cb1f2cb17d216c2e02f4969998c0f35839817bee
Opcode Fuzzy Hash: 40b608a062baf16b35cd6f94052115b649097e7dc85e07545b655fdfac7c8775
Instruction Fuzzy Hash: 1C112F333041159FCF1ADB29CC41A6B72AAEFD5378B254539D523DB290D9349C11C394

Function 01322B79 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a90d76c13f46ecc87ba54e21d1a0bf8a8fa4d1ef515e01181c91c2a38fb769
Instruction ID: f6f9ea06281ed6da24647c497a1a1fc01b8c985e50224514fca0f4427cc6440c
Opcode Fuzzy Hash: 07a90d76c13f46ecc87ba54e21d1a0bf8a8fa4d1ef515e01181c91c2a38fb769
Instruction Fuzzy Hash: D1117272A056689BDF22EF9DDC44BAEBBB8FF08B58F084055ED04A7651C3789C41CB90

Function 013466B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2d2069292a7ebc42d34bd0353d114ce166e339f95747e25709b82c4db0871e
Instruction ID: 330633f458017d78de9c5326385a3e7b7de31cd075b9043d49194f9da36f41a4
Opcode Fuzzy Hash: 2e2d2069292a7ebc42d34bd0353d114ce166e339f95747e25709b82c4db0871e
Instruction Fuzzy Hash: 3311E3B6A01215DFCB25DF5DC581A5ABFF8EF85614B02807AD9069B311E634ED00CB90

Function 01310AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction ID: e190315796f0e5a0b717f3a695e3b7a86400dcc358e0cf075fdb7addb0babbb6
Opcode Fuzzy Hash: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction Fuzzy Hash: C92106B5A00B059FD7A0CF29C440B56BBF4FB48B14F10892EE98AC7B40E371E854CB90

Function 01312F12 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9618cefa95a8ac4606cd170f598e3e32f4c4cf79c440207eeb2eb5f9851a6c
Instruction ID: fbb3ae04cc3b07d9314e2890358f72a7baddc1d40aec57c1a7fd4d524eb80e54
Opcode Fuzzy Hash: db9618cefa95a8ac4606cd170f598e3e32f4c4cf79c440207eeb2eb5f9851a6c
Instruction Fuzzy Hash: E81148313443015BD63E672F9D45F17F6D8EBA4AA8F75002AF6069B2ACE9B0D818C791

Function 0139E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 818c0ba6a0db1055436b7f8c949ac427b817df5c74cf48b31f9db164a27a1f13
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 60119A32604605EFEF21EF88C840B5ABFA9EF45B58F058478EA199F260DB31DD40DB90

Function 013327ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f28fb0a99fbbb2b3d0f0c763c79db6ef598faad69cd0e22bd5d5aab94e5aae
Instruction ID: 44d6e602d5ea71e63597c58b22e88a07772a5d5d60aa1bd97b6424223ab0742e
Opcode Fuzzy Hash: 52f28fb0a99fbbb2b3d0f0c763c79db6ef598faad69cd0e22bd5d5aab94e5aae
Instruction Fuzzy Hash: AF01D631709649AFE326A66ED894F2B7F9CEF8475CF090075F9009B691D928DC00C2A5

Function 01314690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d54ea5d1572b5a6ac5a385f060c0092e11c1b780cf8a72dc658b6549cecbd9
Instruction ID: 24eb13eb90d81e0bcc75cf12c1d7f7c272c771d4b855cb3d08af71d01a45a6f9
Opcode Fuzzy Hash: 35d54ea5d1572b5a6ac5a385f060c0092e11c1b780cf8a72dc658b6549cecbd9
Instruction Fuzzy Hash: 13110E36200744AFDB29DF5DC844F567BA8EB8AB6CF004129F9288B254C330E840CF60

Function 01346620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c5acaf6cd5d7c096c5baffedfdc76c7f7c9bd68f1f817ee3e17d1c012deabd
Instruction ID: ae54a78fefba2185022df0992ae93ac92c6b1b49be3a566fa96fd84197a5c093
Opcode Fuzzy Hash: 88c5acaf6cd5d7c096c5baffedfdc76c7f7c9bd68f1f817ee3e17d1c012deabd
Instruction Fuzzy Hash: FB1182B2A00625ABDB22EF5DCD81B5EFBF8EF89764F510459DA01A7204D738BD058B50

Function 0133E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 7008155b464780b53074c125db4fcf1bd3447dc341123c7383d30da76c3d5e22
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: AB118E726056CADBF732A72CC954B257BDCBB8575CF1900B0EE418BA92F72CC842C655

Function 0139E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 9a1c2d116ad290959410011d2789533222d4e34312c914be4e052e83a1d4f7ac
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: AD019232600115AFEF25DF5CC800F5E7BA9EF45758F058434EA059B260E775DD40D791

Function 01308FF0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27991d254108277b2a09fc1fe9319d7aed6a0fbdce5641a17f17afb8ec0dc32a
Instruction ID: c7f3e96f12c7899431313cf6d06cd6d9c0cd6eb573d9c68e217850c66ebd10ca
Opcode Fuzzy Hash: 27991d254108277b2a09fc1fe9319d7aed6a0fbdce5641a17f17afb8ec0dc32a
Instruction Fuzzy Hash: D9116DB2A01219CFDB16CF59C490799FBF1FB48718F24807EC509AB392D3369902CB90

Function 0130A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: ae059bd1e09f3577f3befd5ac1f2a8b03708fc6659a8738695b150aff64728cc
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 8D01C4715057259BCB228F19A850A767BE9EB55B64700853DFD958B6C1D732D400CB60

Function 0138E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8c012e9564fe50456e676651650468e4f6af4c6165dd92ffeff8c97545f081
Instruction ID: 70da17b762ea1f1ccb232d8be043a58d0446f0aab0dec116bb49a42f0cc65de6
Opcode Fuzzy Hash: 9c8c012e9564fe50456e676651650468e4f6af4c6165dd92ffeff8c97545f081
Instruction Fuzzy Hash: 99118B32241341EFDB16AF19C980F16BBB8FF58B58F200075E9059B6A1C335ED01CB90

Function 01316259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e94b514a47eec29b92ee8e03ab43ad7094cd01deb5939acca976aa5acfe3cf
Instruction ID: 96ff7d40feb021f4172f3fd4b12f09e7c8de53a4804a487237fc79f3b4b58458
Opcode Fuzzy Hash: 00e94b514a47eec29b92ee8e03ab43ad7094cd01deb5939acca976aa5acfe3cf
Instruction Fuzzy Hash: 75117071541229ABDF69EF68CD42FE9B3B4BF08718F5041D4A719A60E0DB709E81CF84

Function 01346DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction ID: 4923b8315dbcf617467bcbfb84653e1d01f30d511a322b05fb04671e3c4df762
Opcode Fuzzy Hash: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction Fuzzy Hash: 4D01F5B160412567EB399F69C906B9BBFE8DB82B58F048015AA0A5B280D674E8C0C3E0

Function 01396050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf3888f4cf991ac947033da3eeebfb24b92cde4085a32c60cead014ad2f924b
Instruction ID: bf5635e0bb0917758dda67e0a5bbf303462325fc152b4fdf6c730ab6ca7caa09
Opcode Fuzzy Hash: aaf3888f4cf991ac947033da3eeebfb24b92cde4085a32c60cead014ad2f924b
Instruction Fuzzy Hash: 4B111BB290001DABCF11DB99CC85DDF777CEF48258F044166E906A7211EA34AA15CBA0

Function 0131208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e0d4822a663bf5e14d9df16824b922a2ba52ca1849ee47bd7c46197c228316
Instruction ID: cab43bbc035b7a1b14c71a79c272e1934b9c1b8cb047621285a4ef018f4f07fa
Opcode Fuzzy Hash: e5e0d4822a663bf5e14d9df16824b922a2ba52ca1849ee47bd7c46197c228316
Instruction Fuzzy Hash: FE0128326001108BDF199A5DDC80B53776FBFC4708F6656A5ED018F25EDA71CC81C390

Function 0139C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73acef9d799df4cbd0916d9e3fd4569a705f8bd3bf526f5067935bbed84cb1cf
Instruction ID: e7f11a16f567d0501c16a9ec69a628f76f4a0db3c69159dcadecee4a299c1852
Opcode Fuzzy Hash: 73acef9d799df4cbd0916d9e3fd4569a705f8bd3bf526f5067935bbed84cb1cf
Instruction Fuzzy Hash: DB11ECB1A002199BCB04DF9DD541A9EBBF8FF58754F10406AE905E7351D674EA018BA4

Function 0130C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c51aca747985c3dbf21617d68590102e67a89be70301c85746c64afd12358dc
Instruction ID: 5b225a64a2420871f187023feb5f0ecac92b97c63bb11d233ed9c74028b6c21a
Opcode Fuzzy Hash: 4c51aca747985c3dbf21617d68590102e67a89be70301c85746c64afd12358dc
Instruction Fuzzy Hash: 9C01F532200709DFEB23D6ADC800AA777EDFFC5218F048559A6868B984DB70E402CB50

Function 013520F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5f518303adc1a6792d4650c0fb780507c5027ef3e54b8cfaf0f379395ae3d2
Instruction ID: 80e6c4d79564ea3263a63cfe9e8ad33ee3d538c9bae1a6075947a266d7010f86
Opcode Fuzzy Hash: eb5f518303adc1a6792d4650c0fb780507c5027ef3e54b8cfaf0f379395ae3d2
Instruction Fuzzy Hash: C8116D35A0020DEBCF15EF68C850EAF7BB9EB44648F004059ED0197250EA35AE11CB90

Function 0134E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3eb3e25bb7914f89a940fd21d46ac137967dbf626845658e7f7fcd1b412fa9
Instruction ID: f66a7802eee070b0e1d7fc46ace57864bd001b7efa5f361e337ecdff12564ad0
Opcode Fuzzy Hash: bd3eb3e25bb7914f89a940fd21d46ac137967dbf626845658e7f7fcd1b412fa9
Instruction Fuzzy Hash: F1018472201625BBD611BB6ECD40E57B7ACFF986687000525F10593561DB34EC11C6E4

Function 0139C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4a6fb1043887741772f4a4a5e6e47f0ef87d58ce861720ebd34d69495f7325
Instruction ID: 6f891a8478da507d636bdc9c4de982afdabcb0edef68c5e65979a0670f59381a
Opcode Fuzzy Hash: bc4a6fb1043887741772f4a4a5e6e47f0ef87d58ce861720ebd34d69495f7325
Instruction Fuzzy Hash: D3116D75A0020DEBDF15EF68C850EAE7BB5FB48748F004059FD01A7350DA34E951CB90

Function 0139C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f72356b7e12d6822131114b95c3f682f2b11365054ac7628eb906c206b35ce
Instruction ID: 36da51d7abb9d31274fd5de2b3902bbc67734d5b5848e509db12bb297db74d79
Opcode Fuzzy Hash: 92f72356b7e12d6822131114b95c3f682f2b11365054ac7628eb906c206b35ce
Instruction Fuzzy Hash: E91139B16183099FC714DF6DD441A5BBBE8EF98754F00451AF998D7391E630E900CBA6

Function 0139CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cabe8aa6982305811297b536fce9206243f59d119567f056548fe02c28f57e
Instruction ID: 275d9b018801a9c006275b8ae201b47a0103b1c0785dc1a9e49717f2c2af1f43
Opcode Fuzzy Hash: a3cabe8aa6982305811297b536fce9206243f59d119567f056548fe02c28f57e
Instruction Fuzzy Hash: 261179B1A083089FC710DF6DC44194BBBE8FF99754F00851AF958D73A0E634E900CB92

Function 0132E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 2ab0fd5ad3942ed3212e4b046631226f1971636fc136f3521c858328e772285e
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 4D0178322046949FE326A61EC948F267BECEB44758F0984B1F909CBAA2D67CDC41C621

Function 0130826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aaaa4551fa182cc0cf221f5e3279946a9831086699b85936e589e9fde5f091e
Instruction ID: 6ef9e60e357b226edb4ab2b3d1573eda942803fecb20ea1bd6e93a7746da7c17
Opcode Fuzzy Hash: 1aaaa4551fa182cc0cf221f5e3279946a9831086699b85936e589e9fde5f091e
Instruction Fuzzy Hash: D501F236B10909DFCB15EB6ED8509AEBBFCFF80228F1540A99A01A76C4EE30DC01C690

Function 01394C0F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb6d82511cfa4487cc0fb41de266adfc85fd9927e22dcaab9e1f1df52d64ef5
Instruction ID: a6e9df7cf9c29e954290bde01a85146c52540979dd92116fb03a38290d939ac7
Opcode Fuzzy Hash: ccb6d82511cfa4487cc0fb41de266adfc85fd9927e22dcaab9e1f1df52d64ef5
Instruction Fuzzy Hash: 24012672B00352AFDF229F9ECAC0B5DBBFCAB88758F110029EA0597245E7B4DC058B50

Function 01312582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2c3ba5de4e028482e807c1326901688b7b84e5df4b78111ce4244fd0db230e
Instruction ID: ddbb21b7fa7ccde483df649c1e2be0e4b6e0e8fa1a861e0f16423e018ebe0563
Opcode Fuzzy Hash: 9c2c3ba5de4e028482e807c1326901688b7b84e5df4b78111ce4244fd0db230e
Instruction Fuzzy Hash: 15F0F432641A24F7C7359B5A8C80F57BAAEEB84BA8F114028E60997644DA30ED01CBA0

Function 0133C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction ID: cb3d9c06f1265cf5c0a14002003c38c2bd108a4eaa1215dea772ef8f39de4540
Opcode Fuzzy Hash: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction Fuzzy Hash: E4F0C2B2600611ABD324DF4DDC40E67FBEADBD1A84F048129E509DB220EA31DD04CB90

Function 0130C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a7373cb2079d2636d95714b876d98617879040001abca15d271980cefee76b
Instruction ID: 0395bf38ea0d1fe9e9a927f5df00d6d45b4a760c1a6b334efd86bd4005afa63b
Opcode Fuzzy Hash: d1a7373cb2079d2636d95714b876d98617879040001abca15d271980cefee76b
Instruction Fuzzy Hash: 96F04C332046339BD733165D4860B6BA7D98FD5B6CF1902F5E2099B680C968CD01A3D0

Function 0134CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 8e08d42a346a6f8aba902993f935fc12493b5ad930d619ef96b756406a91c02c
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: AB01F4322056899BE322A71DC805F59BFDCEF4175CF0844A5FA049BAA2D678D801C610

Function 013920DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3530dda3bd8b9254c8f332f5b1cae76afca156ee22aef918f23afa90c989b4
Instruction ID: d7c215022799baca9a48def65414585129ed9b24a346cefb5d382051ecc3fa11
Opcode Fuzzy Hash: 5a3530dda3bd8b9254c8f332f5b1cae76afca156ee22aef918f23afa90c989b4
Instruction Fuzzy Hash: 07F0C875650308BFEB24EA4ECD46F967B6CEB41F58F50006DF70067285D2B0A950CA91

Function 013963C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction ID: 81035db2aff2f12259e4e65b936b29ffceb6a8bf961cee3e99a1094bcc8487d5
Opcode Fuzzy Hash: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction Fuzzy Hash: 64F0627210001DBFEF019F94CD81DAF7B7DEB582E8B104124FA0096120D235DD21A7A0

Function 0130C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2881028bd4502ae892b60918f4792a0dbbc746654f3360d9c8f097d76c288605
Instruction ID: 2beeb24fa0837bde17cdb16e58453ecb0f04d2966ec478f236e2cdca1ad3218c
Opcode Fuzzy Hash: 2881028bd4502ae892b60918f4792a0dbbc746654f3360d9c8f097d76c288605
Instruction Fuzzy Hash: CDF024712143415BF71A961DAC21F2232DAE7C0758F6590AAEF098B6C1E970DC01C3D4

Function 0134656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63636a7de5c3d8783958300f34cd8e0cd93dc42526cdb82ccc41b67dfc1e42ef
Instruction ID: aa9b11f2e6056d3f7806f9a980905b920a92cc9d0fca05d4a2aa82dc329950d7
Opcode Fuzzy Hash: 63636a7de5c3d8783958300f34cd8e0cd93dc42526cdb82ccc41b67dfc1e42ef
Instruction Fuzzy Hash: 5A0144B0204786DFF732AB6CCD49F2537E8BB55B4CF484191FA019BEE6E768E8518610

Function 0134A5D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0530d3fcb1717235c9540f3440e34cc3507acc1d83b03d20e15eb39d53602d98
Instruction ID: 2569cb3b039b2a33a1090b8f7cbae67f74c4dc74a761f0cc3387e5a41669d725
Opcode Fuzzy Hash: 0530d3fcb1717235c9540f3440e34cc3507acc1d83b03d20e15eb39d53602d98
Instruction Fuzzy Hash: 9A01F4B22A0704AFD311DF14CE49F1677E8E784B29F018939A65DC7190E778E804CB4A

Function 01320218 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2837c949137c3be8db8201e602399f77a45e668b5992087a3312b05a9c0dbccb
Instruction ID: bcf32773552d5482ab8fd80b175eda99892b0ffcf135f7130dfbd497bdee183b
Opcode Fuzzy Hash: 2837c949137c3be8db8201e602399f77a45e668b5992087a3312b05a9c0dbccb
Instruction Fuzzy Hash: D4F03A75911769CFE32BAF5AC9407207BA0FF02B18F62417BF5069F6A5D3349848CB51

Function 0139E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction ID: ffb1fd01ebb268fee6a7ef31e7a2f7a5504eba2354da407e5aef5d70e71ef625
Opcode Fuzzy Hash: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction Fuzzy Hash: ECF054327195229BEB21DE8DCC80F16BBA8AFD9E64F190075A6149F660C760EC0187D0

Function 0139C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fea1f98e56f62b7a11121673e6675a86f3479a244c5d06ac6493dacc5dda2c3
Instruction ID: 85f7d00669710b8371bb5254b0ec18088a1607f8f631585fe1b547f4ab6e6fcd
Opcode Fuzzy Hash: 4fea1f98e56f62b7a11121673e6675a86f3479a244c5d06ac6493dacc5dda2c3
Instruction Fuzzy Hash: 12F08C706093049FC714EF28C541E1ABBE4EF98714F40465ABC98DB394E634E901C796

Function 0132266C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d53f7b2580f2c40dd8bfcbd11525a0daf9a9cd07e9b8f933cdf490339e1112
Instruction ID: f0d12e43c05af2bf07d6dc76e5df09dc4006705ba49b304d10bf2756bd630be6
Opcode Fuzzy Hash: 83d53f7b2580f2c40dd8bfcbd11525a0daf9a9cd07e9b8f933cdf490339e1112
Instruction Fuzzy Hash: 9DF0F072714A018FD322DF7ED841766B3E4FF49214B044176E544C7201E738D912CB90

Function 01340854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 7b35ef063dfce1c3260cccd0c32fb454facb497dd2e857d9f71cecab2a0dabe1
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 6DF0B472610204AFE718DF25CD01F96BAE9EF98348F158078A645E71A0FAB0EE01CA54

Function 0139C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e90ccf2a84548b7eb7aa5d7e83bbecd4c523aa91fc1535a76b93b2265d8a17
Instruction ID: 82e79599ce6b61c763ac39953e2c966ec4492799b7ab6f7b37b61b6abbf11706
Opcode Fuzzy Hash: 69e90ccf2a84548b7eb7aa5d7e83bbecd4c523aa91fc1535a76b93b2265d8a17
Instruction Fuzzy Hash: BBF0AF70A00249AFCB04EF69C511E5EB7B4EF18304F008055A805EB385EA38EA01CB50

Function 013147FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8dbc35cbba6b665145608bfc19a7cec58e3c866c49799ed0b33604c996f447
Instruction ID: 85c9686a7fe001046afea53eca1f7f34e5d0657d362b2c9bee4c5f60e5eadc47
Opcode Fuzzy Hash: 3a8dbc35cbba6b665145608bfc19a7cec58e3c866c49799ed0b33604c996f447
Instruction Fuzzy Hash: 98F0BE319167E59FE73ADB6CC048B21BFD89B0073CF08896ADD8D87546D736D880C650

Function 0134C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcde3a60e737a5cf0d69211323755b78a3a21dbf077b6d72e05da72db597790
Instruction ID: 4bae0ba3befdc03c22bb73a612954f0fc94f366be64f55d431d0e4323e69c01b
Opcode Fuzzy Hash: 2dcde3a60e737a5cf0d69211323755b78a3a21dbf077b6d72e05da72db597790
Instruction Fuzzy Hash: 76F0E2715136619FE7229B1CC148B117BD89B447BCF0DF535D446C7562C67CF880CA50

Function 01352619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction ID: fcd562342474bc37e7b35807ced90c57db6006921687a49f42b8bff191f2c639
Opcode Fuzzy Hash: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction Fuzzy Hash: D4E092323006016BE751AE5DCC80F57776E9F92B28F040479B9045F251CAE29D0982A4

Function 0134CF80 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction ID: f45a8c2207355ae14613f40173b719487fc187026a5e1970e9ca1dc16d738387
Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction Fuzzy Hash: 03F0273220420AEFC702AB5AD804E5EFBAAEFD1718F044012F9048B251D731B861C750

Function 01310710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 961fe197175ea9df9d03ccb70e3c337002fac265f3992404e7d0bfe2f7dc27f3
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: C4F0E5392083459BDB1EDF29C040A957BA8FB45358B004054F8428B305D731E981CB50

Function 013449D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 9f3316199c298e6ca4395636ca7838fd1e12eeb32725ff38d218920be73459e7
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: FAE0D832244549ABE3212E5D8800B6677E9DBD07A4F150439E2048B550DF70EC40C7D8

Function 0130EC20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacb0741113de6204d24c7fb5f08aa5759b2144f5af342047bfa67bb57800d67
Instruction ID: f73754687f8a7edf83ff2c812f36f535309bc6d5cff8ae573020fe0f2f6d65e0
Opcode Fuzzy Hash: aacb0741113de6204d24c7fb5f08aa5759b2144f5af342047bfa67bb57800d67
Instruction Fuzzy Hash: 88F0A032304289AFEF1ACB08C454F253BD9AB0472CF04892DF9288A0D2C776D8C4CB04

Function 013125E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2aeb8486498ad3f68f02cfeddd872361840ff7dd3df7e02b581a1f699d6ef34
Instruction ID: 7b02560f03ec75adb04e4687cd300a96ca67ff46aa936109cb3268cfe9677971
Opcode Fuzzy Hash: b2aeb8486498ad3f68f02cfeddd872361840ff7dd3df7e02b581a1f699d6ef34
Instruction Fuzzy Hash: E4E092321006549BC726BF2EDD01F8B7B9AEB64778F114515F115571A4CB34A810C7C4

Function 01394000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 598edcf0af7b82ef1f5aca88030f5849a450685a4e6b10f03be53b9a258d49bd
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: EAE0C2343003058FEB15CF19C140B62BBB6BFD5A14F28C068A9488F305EB32E843CB40

Function 0134CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf6717e461c1d0797344cb36a03ef8de2f8aa3102ec39fd99a1303563a1b6c4
Instruction ID: d468f72d0a2ab22e28b9b4a9f1374a8f96afd7d7b2b670e48327edf1a6b23811
Opcode Fuzzy Hash: bdf6717e461c1d0797344cb36a03ef8de2f8aa3102ec39fd99a1303563a1b6c4
Instruction Fuzzy Hash: 56D02B325C20306BDB7AF21DBC04FE33AED9B90228F015C60F10CD2022D524DC8183C4

Function 0136E1D8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction ID: 55ca9b1c405d0f7f9ce5122e8d542b4ca90dff8cc98eb39cc167f5e1af998b97
Opcode Fuzzy Hash: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction Fuzzy Hash: 6DE0C2763145549FD211D60CD890C3BF7EDFBC8604F10025AF884D3610C229DE11CBA0

Function 0130823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction ID: 3b203106d10ff3663bdd63feda075027fbb5843a2b89fc9317a019649a655c75
Opcode Fuzzy Hash: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction Fuzzy Hash: EEE08C31940A24EFDB322E19DC20F5276E9FB58B28F104869E081068A8C774A881CA44

Function 0133EA5D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18881eb9237957d2c5dc77c44f812ceb53a5c7149fcfe0a84321d8c390ea8fd5
Instruction ID: 7bf8b7be3c245c8901c768d9932fa32bf8943467f44c88dcdfcf33e005c94bbb
Opcode Fuzzy Hash: 18881eb9237957d2c5dc77c44f812ceb53a5c7149fcfe0a84321d8c390ea8fd5
Instruction Fuzzy Hash: C2E0C27A68225A8FD7129B0CE1807D8BBE0FB81639F204171E105CB523CB3C8C53CB14

Function 01308C8D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction ID: c55c14982f0c885d843a99b23ce3c7e8ada127e8ef7d38ecf62d0fa0b99a4e50
Opcode Fuzzy Hash: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction Fuzzy Hash: 36E08631541621DEDF32AF1ADD14F52B6F5BB54B1CF004469E012068E0C6749885CA45

Function 01312050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0c23d7818e311f8e38a906bba6be0dd4bfe0a567457bf7afb8be0018a10d72
Instruction ID: c63cdcf06fabbe847508a2ed3f243870d56ce3e70bdc8eed540b3f3cddfa2a7c
Opcode Fuzzy Hash: fa0c23d7818e311f8e38a906bba6be0dd4bfe0a567457bf7afb8be0018a10d72
Instruction Fuzzy Hash: 4BE08C321005606BC616FA5EDD10F4A779AEBA8274F110121F155872A8CA64AC00C794

Function 01348A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 8235786f7ab048197a92cd1e3e8f4dc755101faf995dc2f3c822db3a5ddb3c3b
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 5DE08C33521A188BD728EE5CD522B72B7E8EF45720F09463EA62387780C674F944CB98

Function 01312324 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction ID: 66678bbab6ea84405a7714a42f3028c860e6388517cc21c2435c93e54382778b
Opcode Fuzzy Hash: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction Fuzzy Hash: AFE04F31800056DFDF1AAF59C514B9ABB79FF88308F640454D8003316CCB345850C750

Function 0130A740 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction ID: 77070c1c2ddde04f38be08006264a159df195f0ed47bc117faa7f64e7273e691
Opcode Fuzzy Hash: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction Fuzzy Hash: A1E0C230500455EFDF1BAB9EC854FAABB79BF8871CF08A415D040278A4C738BCA0CB98

Function 01366AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction ID: e4648007713cea0588ae43a47a525368df23f6a93e4cefc1d57dff95cf1f1d63
Opcode Fuzzy Hash: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction Fuzzy Hash: D3D05E76511A60AFD7329F1FEA00C13BBF9FBC9A60705062EE54583924C670A806CBA0

Function 0134E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction ID: 088e600827c8e48062672aba35eec297a50999713eeec46b8f5ba175d15cc2b8
Opcode Fuzzy Hash: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction Fuzzy Hash: AFD0A932204620ABDB32AA1CFC00FD333E8BB8C728F060459F008C7050C364AC81CA84

Function 0138E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction ID: ae0e959abab49c75a5f1779e62a5787197800cbb4461d9f124a5c3e489e462ec
Opcode Fuzzy Hash: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction Fuzzy Hash: C6E08C319007809BCF12EF5DC640F4ABBB5BB88B04F140024A4085B220C228A800CB40

Function 0130A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction ID: 7e9876b58946b4ae62fd00ab73935ef7a7a5f7c23ec62aec1b93e40cdd2d5bba
Opcode Fuzzy Hash: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction Fuzzy Hash: 77D02232212030A3CF2AAA5A7820F637949AB84AA8F0A002CB40A93C40C0088C42D2E0

Function 0134A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction ID: 7b7878358c2843b7e28d2042242e2e5aacd9aefa0988c904d23d3ccebe05d544
Opcode Fuzzy Hash: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction Fuzzy Hash: 3FD012371D055DBBCB11AF66DC01F957BA9E768BA0F444020F504875A0C63AE950D584

Function 0134CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b4e6e5eeacb3e3f5f69985d70e98447120d905c4bd8da523936f76b9dcc104
Instruction ID: 87e6ca816a10441bf1537237af7e14e44378b3d2e5025f6dec0e6feac7805428
Opcode Fuzzy Hash: 83b4e6e5eeacb3e3f5f69985d70e98447120d905c4bd8da523936f76b9dcc104
Instruction Fuzzy Hash: 18D09E355565159BEF16EF5ECA10A6A76B4EF14648B8010A8EA0162530D329E811C650

Function 0134CF50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ef48d663744b8c39783496a892a07236f642af303a4145f8a849d80bfcb68c
Instruction ID: af1f86a4b7e1a247fbc5697b7493f6a7e4b504839e5e877d9460756cc13d553b
Opcode Fuzzy Hash: c6ef48d663744b8c39783496a892a07236f642af303a4145f8a849d80bfcb68c
Instruction Fuzzy Hash: 1CD0A732000144ABC712FF4DCD40F063BAAEBAC754F010020B40847261CA34EC60C748

Function 013202A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 304d7d9df9b2eea38aceb21263beb8075a4e4bb3e742262bb606c674adec464d
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 33D0C935212E80CFD62BCB0CC5A4B1533A8FB45B48F810491F401CBB22D62CE944CA00

Function 0134CF1F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f3234674839ebe2d94e20d49683d0ad241c8f647a1d44df77c10aa767446a9
Instruction ID: 73a1c528fb0b878188eca1b9e377db18e6e008bb8b096408da53d6133a1f6f61
Opcode Fuzzy Hash: f8f3234674839ebe2d94e20d49683d0ad241c8f647a1d44df77c10aa767446a9
Instruction Fuzzy Hash: ACD05E72111440DFEB26DB08CE46F6577E4F714708F4540B8A00A8B924C728E814DB44

Function 0134C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction ID: fb0db6516260858b943465ed7230825d032f12abaf61ef0ea3da5be795e41214
Opcode Fuzzy Hash: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction Fuzzy Hash: 14C01232290658AFCB12AE99CD01F027BA9EBACB50F000021F2048B670C635E820EA84

Function 0130E0D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f2ca23d07611764e16564e894f3f5eb74c899ad8f9e0d272f9c01aed25a1c2
Instruction ID: 93db8ed2e3c1b93b78967546e1906a4eb5d74d6ac16a5ff2ecbd99c2a68d5c43
Opcode Fuzzy Hash: 80f2ca23d07611764e16564e894f3f5eb74c899ad8f9e0d272f9c01aed25a1c2
Instruction Fuzzy Hash: F8C08CF3B10090AAC30DDF229500B72268A93E4201B06C03AB156C2188CA3AC0018A20

Function 01330310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 20f026f6347a4c602c58f52a7b1c1a4b2d4d6076bf3bffdb356d77c2214bb4c1
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 69D01236100248EFCB05DF55C890D9A772AFBD8710F148019FD19076108A31ED62DA50

Function 0134C7F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction ID: 250ddb2ce212a12811c0f894d5434f2aea783e2c9feff15807bd51790b709680
Opcode Fuzzy Hash: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction Fuzzy Hash: 25C002343016458FCF12DB2DC284A5977E4BB49744B8944D0E804DB722D664EC018B00

Function 01310750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: ca0aac4096087e55e4ee17daef29b1669b7521c56416355cfd95b7bee2707276
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 9AC04C797015418FCF15DB1DD294F4577E4F744744F154890E805CB726E624E805CA10

Function 0134C68B Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf97175577b626b7c78728204cd8157c1073e04dc8a46aa34fda69f1f5a91b1c
Instruction ID: 3ecfc2a97efa466cc212048c201a2d510b1529158f6a518d1292d8ca0629b5e4
Opcode Fuzzy Hash: bf97175577b626b7c78728204cd8157c1073e04dc8a46aa34fda69f1f5a91b1c
Instruction Fuzzy Hash: 11C09232151460AFCB22EF0ECE81F023BA9FB287A8F850460B109C3572C638E820CB54

Function 0134A060 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction ID: f888f9a29f390969c6eac5fd58903112ac6273bd99552689174c90ba960dea2f
Opcode Fuzzy Hash: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction Fuzzy Hash: 90B012730214819BC71F6B08E900E013B66E7C8B30F350478B406478604A25DC12D504

Function 0134A950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction ID: 681716e4cdcac7a8fd684bf7a8bc0be53a5aab24dd51ba06229f2bc36db1f375
Opcode Fuzzy Hash: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction Fuzzy Hash: 6BA02233020880CFCB0BBF08CA00F00B338FB00A00FC000A0A00002838C22CC808CA00

Function 01340A50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction ID: 4d18c521489496f15314b5955da3c9783277fea1dd43b1d35ab6314f24d4f69a
Opcode Fuzzy Hash: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction Fuzzy Hash: 58A02232220880CFCB0BBF88CA00F0033B0FB00A00FC080A0B20283830822CEC00CA00

Function 01352890 Relevance: 9.2, APIs: 6, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 0135293C
___swprintf_l.LIBCMT ref: 0135295E
___swprintf_l.LIBCMT ref: 013529A3
___swprintf_l.LIBCMT ref: 0138A52E

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: b2e5d6016ec2a8b92e905d59c063831aa5cea64d92bbbf581622f7e0e6c85f3e
Instruction ID: 53e43de84fecdca639285f4974e570de2aa8e4453d57187cbb7f9653fbe59dfa
Opcode Fuzzy Hash: b2e5d6016ec2a8b92e905d59c063831aa5cea64d92bbbf581622f7e0e6c85f3e
Instruction Fuzzy Hash: 2851E6B6A0421AFFCB51DB9C899097FFBB8BB08648754C12AF8A5D7641D334DE5087E0

Function 0132A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 013779D0, 013779F5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013779FA
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013779D5
SsHd, xrefs: 0132A3E4

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 4334c4534c3b7cee8faebfe9b50da17040a734a275998b5caf6624b35721610b
Instruction ID: 72a6b4d38c84fe593e8a2343943f4eb692506c4857e559d1f05a6e82ef24934d
Opcode Fuzzy Hash: 4334c4534c3b7cee8faebfe9b50da17040a734a275998b5caf6624b35721610b
Instruction Fuzzy Hash: 6EE1E5706043128FE725DE28C888B2BBBE5BB8532CF144A2DF995CBB91D735D945CB81

Function 0132D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 0137948C

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 01379341, 01379366
GsHd, xrefs: 0132D874
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0137936B
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01379346

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: c6eac98c8fb1b02214adf57ef4a7b40f9d88c745972f2baf119bc9412e8c1fe3
Instruction ID: a7fe2674bf4417e51f30d65ad21aa47777255a539a179082affcb698646bf611
Opcode Fuzzy Hash: c6eac98c8fb1b02214adf57ef4a7b40f9d88c745972f2baf119bc9412e8c1fe3
Instruction Fuzzy Hash: 0EE1C470604356CFEB24DF68C484B6ABBE5BF8832CF044A2DF9959B281D775D944CB82

Function 0135B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__aulldvrm.LIBCMT ref: 0135B6BF

Strings

-, xrefs: 0135B650
+, xrefs: 0135B65A
0, xrefs: 0135B695
0, xrefs: 0135B66F

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: adbdd3ade397063db0dd9e01a2b13d91692e4e214aa83db678a15d9965122bb6
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: D881C370E052899EEF658E6CC891FFEFFB3AF45B28F184159DC61A7299C73488408761

Function 01319126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 01372559

Strings

$, xrefs: 01319191
@, xrefs: 01319175

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 92fcb5f1f0d4938b0a51aedebb728985645dc23125b32ab11217dc392a035693
Instruction ID: b99aa9ba7520e1aeb0feca3eecfdbc29d8a07ed2cd19f0b2d4853049664589b6
Opcode Fuzzy Hash: 92fcb5f1f0d4938b0a51aedebb728985645dc23125b32ab11217dc392a035693
Instruction Fuzzy Hash: F2810C71D00269DBDB35DB58CD44BEEB7B8AB48718F0041EAEA19B7680D7745E84CFA0

Function 0133DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0137F611

Strings

Invalid heap signature for heap at %p, xrefs: 0137F653
RtlUnlockHeap, xrefs: 0137F65D
, passed to %s, xrefs: 0137F662

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: 4ae6c2c2e4b74418549d9351ada105821376f65695a616fb7d3691ffb87e8f96
Instruction ID: af378458bdeacf1a3aa0a032e8a621f3069f30c1a9c6d3f1cf2123a7ef5cbcb7
Opcode Fuzzy Hash: 4ae6c2c2e4b74418549d9351ada105821376f65695a616fb7d3691ffb87e8f96
Instruction Fuzzy Hash: 1F415431A10645DFD72ADF6CC498B6AB7F8FF8072CF548169E51187791CB78A880CB91

Function 0133DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0137F757

Strings

Invalid heap signature for heap at %p, xrefs: 0137F799
RtlLockHeap, xrefs: 0137F7A3
, passed to %s, xrefs: 0137F7A8

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: 2542b1a1fc07d70c07fcd2c0b9de06cf60826dc5838188e0dcc52258a89c9f18
Instruction ID: 88ee6fbe76f8d5087d868bb1f091e45805c282e1df87f7dde71d7f179ef93e12
Opcode Fuzzy Hash: 2542b1a1fc07d70c07fcd2c0b9de06cf60826dc5838188e0dcc52258a89c9f18
Instruction Fuzzy Hash: 5231F4351547C4DFD737DB6CC819B56BBE8EF01A5CF444058E45687AA2C7BCA880C751

Function 0130C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0130C0B4
RtlDebugPrintTimes.NTDLL ref: 0136D623
RtlDebugPrintTimes.NTDLL ref: 0136D651

Strings

$, xrefs: 0130C07C

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 607b4f93846a0fffe0e35a7dfdddf09443b1890033135e49c57e49fbe8dca5aa
Instruction ID: 83d5236a62e03990ffec7415fc7316e84e81552303240e5a48d77a737f59753d
Opcode Fuzzy Hash: 607b4f93846a0fffe0e35a7dfdddf09443b1890033135e49c57e49fbe8dca5aa
Instruction Fuzzy Hash: FD116132A04219EBDF16AF98E94869C7B75FF44378F108119F86A6B2E4CB715E10CF44

Function 0138EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0138EFE1
RtlDebugPrintTimes.NTDLL ref: 0138F009
RtlDebugPrintTimes.NTDLL ref: 0138F0AC
RtlDebugPrintTimes.NTDLL ref: 0138F160

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ee2b9793120580384c3185a604ecfbf2c5c08637a514d1d55bac08f7604fa8ae
Instruction ID: 5bb8e6c154bb1e323d424c4318925fec181fa297e9f61314236012bfb8490575
Opcode Fuzzy Hash: ee2b9793120580384c3185a604ecfbf2c5c08637a514d1d55bac08f7604fa8ae
Instruction Fuzzy Hash: CC712771E003199FDF05EFA8C984ADDBBF9BF48318F14402AEA05EB254D734A905CBA4

Function 0138F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0138F26D
RtlDebugPrintTimes.NTDLL ref: 0138F292
RtlDebugPrintTimes.NTDLL ref: 0138F324
RtlDebugPrintTimes.NTDLL ref: 0138F378

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5b1825b0ccedbd75314470bb9ecbdb3b737e48f7f0202a4c3fe49ed47a2a475c
Instruction ID: 5377d87a952c9d79437f16a79a2be57d5baebe1b2d8d03cb129e1565e93209a7
Opcode Fuzzy Hash: 5b1825b0ccedbd75314470bb9ecbdb3b737e48f7f0202a4c3fe49ed47a2a475c
Instruction Fuzzy Hash: CC513176E003199FEF09DF98D844ADCBBF9BF48318F18812AE905AB250D774A901CF54

Function 01347B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01347B52
BaseThreadInitThunk.KERNEL32 ref: 01347B5C
RtlDebugPrintTimes.NTDLL ref: 013849ED
RtlDebugPrintTimes.NTDLL ref: 01384A70

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 168943c527ec796abae63a1dc8abf718f411963f241a9809f260c765ef61549f
Instruction ID: 4e6b551149d1b7786f55a5ef5781b1ceba023c18e2ebc10d122dda22a17a7e94
Opcode Fuzzy Hash: 168943c527ec796abae63a1dc8abf718f411963f241a9809f260c765ef61549f
Instruction Fuzzy Hash: 58312571E0021A9FDF22EFA9E944A9DBBF0FB48724F10412AE511BB694DB355D00CF54

Function 013159C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01370AA7

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d15d43f464b964668a46b848aabb584c55465fba1b71c7a269e9ccbb08a6d05b
Instruction ID: ac9a7c4d1fb771017ddba113a70cef0b0d4d78babbd823aa7912784b2c3ca2d7
Opcode Fuzzy Hash: d15d43f464b964668a46b848aabb584c55465fba1b71c7a269e9ccbb08a6d05b
Instruction Fuzzy Hash: 0C327B70D0426ADFDB29DF68C844BEDBBB4BF4A308F0081E9D549A7645D7B49A84CF90

Function 01357D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01357E8B

Strings

-, xrefs: 01357DDD
+, xrefs: 01357DE8

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 347a721028e092b52d5334721d91d4ee8b6523ddf78418d371911b6284f2a8ec
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: AF91D371E0021A9FEFA4DF6DC880EBEBBA5EF44B28F94451AED55E72C0D73089418B51

Function 0132D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0132D3A4

Strings

Bl, xrefs: 0132D48C
l, xrefs: 0132D46B

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: a951588aba48b58a6f8fa6bb0a06b64d6afbca69a256ffc138d320eb5e0afbdf
Instruction ID: 236541335fb095c853ebd08a106dcbfdeb3ba24d1d96326d036d61ae57608120
Opcode Fuzzy Hash: a951588aba48b58a6f8fa6bb0a06b64d6afbca69a256ffc138d320eb5e0afbdf
Instruction Fuzzy Hash: F4A1C531A003398BEF35EB99C890BEDB7B5BB45308F0440E9D90967251DB74AE85CF51

Function 01355DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01355E34

Strings

pow, xrefs: 01355E0C, 01355E29

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8626de43dbe2cd9758e904ed048f6870e07106f2ca962e9d92b15a268105e437
Instruction ID: dcebfcfa5932fc83aff3074ea2b8f48138be846f3c1e0da05dd3271b8faa16a1
Opcode Fuzzy Hash: 8626de43dbe2cd9758e904ed048f6870e07106f2ca962e9d92b15a268105e437
Instruction Fuzzy Hash: DE51AB71908206C7D7E2B61CC905FBABFD5EB00F0CF10C818EC998729DDB3495949B86

Function 0133D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0133D959

Part of subcall function 01314859: RtlDebugPrintTimes.NTDLL ref: 013148F7

Strings

$, xrefs: 0133D900
$, xrefs: 0133D86D

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 6ec3bd8b359ae51102715bf1cfdf6155332dbcce445698a5fdd944dad2fcf631
Instruction ID: dcd1ef6162fcee81f9d36f76129a12b595d165c4cecf229bb3422fbe395ed998
Opcode Fuzzy Hash: 6ec3bd8b359ae51102715bf1cfdf6155332dbcce445698a5fdd944dad2fcf631
Instruction Fuzzy Hash: 96510F71A0034ADFDB26DFA9D58479DBFB1BF8831CFA48119C4096F295C774A881CB84

Function 0138FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0138FE73
RtlDebugPrintTimes.NTDLL ref: 0138FE95

Strings

$, xrefs: 0138FE3D

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: dec4c8425a9164a3121fc61559a861a4938a3c3f98eced4f5ebccccf7b6f1f20
Instruction ID: 078c86510887a7b46b41681ed562d2b77a0650ddcd4823fce68e3496b9d1224e
Opcode Fuzzy Hash: dec4c8425a9164a3121fc61559a861a4938a3c3f98eced4f5ebccccf7b6f1f20
Instruction Fuzzy Hash: 56414F75A00309ABDB11EF99C940AEEBBB9FF48B18F140119EA04A7351D771A951CB90

Function 0130DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0130E040

Strings

0, xrefs: 0130E00B
0, xrefs: 0130E020

Memory Dump Source

Source File: 00000008.00000002.2196264197.0000000001306000.00000040.00001000.00020000.00000000.sdmp, Offset: 012E0000, based on PE: true

Associated: 00000008.00000002.2196264197.00000000012E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000012E7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001366000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.00000000013A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001403000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2196264197.0000000001409000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12e0000_z2PaymentAdviceD00772795264733.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: a32121afd06cb6a50af120fec98ae71776c57dc6e85d2b3e56f5b500f9285dec
Instruction ID: 4a8f3a1fa962e56b48cdd2f5204b017c43129ee92563d25a82a5414fd8943de8
Opcode Fuzzy Hash: a32121afd06cb6a50af120fec98ae71776c57dc6e85d2b3e56f5b500f9285dec
Instruction Fuzzy Hash: 8F418CB16087069FD311CF6DC494A16BBE4BF88308F04892EF988DB341D771E909CB86

Analysis Process: YDKFDa.exePID: 7792, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	219
Total number of Limit Nodes:	8

Executed Functions

Function 052B5EE8 Relevance: 12.6, Strings: 8, Instructions: 2604COMMON

Download Yara Rule

Strings

$kq, xrefs: 052B8BA8
4'kq, xrefs: 052B8B56
4'kq, xrefs: 052B6D4B
4'kq, xrefs: 052B6ED3
4'kq, xrefs: 052B8B86
(okq, xrefs: 052B5FBE
4'kq, xrefs: 052B7DB9
4'kq, xrefs: 052B8AFB

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: (okq$4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$$kq
API String ID: 0-3169097850
Opcode ID: 82c00f3437ba5418597e51e67257ba72e200f12b18a9f9d08a613c8fba4cefe1
Instruction ID: ec85e57b4017bba90a44365987084da4885921248db5d59be3674777d560787f
Opcode Fuzzy Hash: 82c00f3437ba5418597e51e67257ba72e200f12b18a9f9d08a613c8fba4cefe1
Instruction Fuzzy Hash: BB43E574A11219CFDB64DF28C888A9DB7B6FF89340F158599E419AB3A1CB71ED81CF40

Function 052B9584 Relevance: 5.5, Strings: 4, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 052B95DF
~, xrefs: 052B957E
4'kq, xrefs: 052B971C
poq, xrefs: 052B97E5

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: 4'kq$:$poq$~
API String ID: 0-3551392484
Opcode ID: 4f827e0e5bf76ffc25f4709ca8196b42955b5af7f3510626addf665ef18f20f9
Instruction ID: 5c5248edb07f2635424fa5d892d4dd9198bb73675df9704525f908aa361432a4
Opcode Fuzzy Hash: 4f827e0e5bf76ffc25f4709ca8196b42955b5af7f3510626addf665ef18f20f9
Instruction Fuzzy Hash: 5B22C175A10218DFDB15CFA8C984E99BBB2FF48304F1580E5E609AB262D772ED91DF10

Function 052B8C80 Relevance: 2.8, Strings: 2, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4|pq, xrefs: 052B8CEB
4|pq, xrefs: 052B8CD0

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: 4|pq$4|pq
API String ID: 0-1558397114
Opcode ID: c62438ed10d176033b1786eb65759418256acfb039cdf0f3e1197b8f9d97e98e
Instruction ID: c20e29da3e26ba7aa5d7f1d88680c19491655f04ae630c421b4c87412ce78413
Opcode Fuzzy Hash: c62438ed10d176033b1786eb65759418256acfb039cdf0f3e1197b8f9d97e98e
Instruction Fuzzy Hash: 64A1A931A2421A8FDB08DF79D8545AE7BFAFF89391B14442AE40AD7391DAB4CD01CB90

Function 06C37B75 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C37DB6

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c2a90aec817a90abdc08e16bc185cfc7ae1719da5110e206b3fd020d1e7fe7ef
Instruction ID: 5a52c89a32e74425fbb2e6ee011aba44000c199d08dc68538288c7684efef82b
Opcode Fuzzy Hash: c2a90aec817a90abdc08e16bc185cfc7ae1719da5110e206b3fd020d1e7fe7ef
Instruction Fuzzy Hash: 9DA15BB1D00229DFDB50DF68C840BEDBBB2BF48310F1485A9E809A7250DB749A85CFA5

Function 06C37B80 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C37DB6

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a2708df8523bc4b6f9ed8d6205e1b59cc83e8b2d3080c7578b0aa9d6a60b974a
Instruction ID: ef383dc4c093c0ff89fe39be8c62b6022e76a7d5159a37b79da9772cbfbc13af
Opcode Fuzzy Hash: a2708df8523bc4b6f9ed8d6205e1b59cc83e8b2d3080c7578b0aa9d6a60b974a
Instruction Fuzzy Hash: 80915BB1D00229DFDF50DF68C841BEDBBB2BF48310F1485A9E809A7250DB749A85CFA5

Function 00CAAD08 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CAAF5E

Memory Dump Source

Source File: 00000009.00000002.1923707897.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_YDKFDa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fed2f854a9d83c16ee0677098c99d2d041e07ad60396623e60693bbe92f7ef31
Instruction ID: 7d2e1185a6ed964ff7b7f346ae8f2dd724fce5023c9be017cea5b7ab0425952a
Opcode Fuzzy Hash: fed2f854a9d83c16ee0677098c99d2d041e07ad60396623e60693bbe92f7ef31
Instruction Fuzzy Hash: FC713470A00B068FD764DF2AD04175ABBF1FF89308F008A2DD49ADBA50D775E949CB92

Function 00CA5A64 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1923707897.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cfb57106d284e4f758d3231e51a312ca1e611ef20e28e7a8a818df555415c4
Instruction ID: 82752fb77134de3cedca0a9721e016c96ba2481c2decc1e26f5edd9f88982f84
Opcode Fuzzy Hash: e3cfb57106d284e4f758d3231e51a312ca1e611ef20e28e7a8a818df555415c4
Instruction Fuzzy Hash: EC31BFB1D04A4ACFDB10CFA9C8883EEBBB1EF52318F24818AD455AB255C775AD46DF40

Function 00CA44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CA59A9

Memory Dump Source

Source File: 00000009.00000002.1923707897.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_YDKFDa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ba9057dd52150590884a677b9c96e2a0caab7f72517eebe24222defb606f1d3f
Instruction ID: 24c726ed03703c56e6b8c6bdd39d25dcfa709cfa1155e8b83c1bcab3d706737f
Opcode Fuzzy Hash: ba9057dd52150590884a677b9c96e2a0caab7f72517eebe24222defb606f1d3f
Instruction Fuzzy Hash: FD41E3B0D00B1ECFDB24DFAAC84479EBBB5BF49304F20816AD418AB255DB756949CF90

Function 04CF4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04CF4101

Memory Dump Source

Source File: 00000009.00000002.1987662037.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4cf0000_YDKFDa.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a7c86e4dc690705e6b6df6c25bcfdef4a92e1a88cd40bec3b356fbce452a871a
Instruction ID: 48b9ef2d86c354aff3a2866e082f888faacac1bb05b51ecb60f7b9320b676b13
Opcode Fuzzy Hash: a7c86e4dc690705e6b6df6c25bcfdef4a92e1a88cd40bec3b356fbce452a871a
Instruction Fuzzy Hash: 20413BB8900209DFDB54CF99C848AABBBF5FB98314F24C459D519AB321D374A941CFA4

Function 00CA58EC Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CA59A9

Memory Dump Source

Source File: 00000009.00000002.1923707897.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_YDKFDa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 00b454472e0ed1c6319aba24b70f8ad7b84e4f8ff61b09e4464eb0f91209a2b2
Instruction ID: f6d56df8e7c6596d93292314ff3147253d12af074a91a3458a3b4d8d7c653ff1
Opcode Fuzzy Hash: 00b454472e0ed1c6319aba24b70f8ad7b84e4f8ff61b09e4464eb0f91209a2b2
Instruction Fuzzy Hash: 7B4123B0D0071ACFDB14CFA9C9847CDBBB5BF49304F2481AAD008AB255DB75694ACF50

Function 06C378F1 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C37988

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 913dace3ebbab21af1e3791ab11f6c62dd68eeff32ddfda3dcc4775a22911a7d
Instruction ID: 0af0dbb0a1c0d4493cd2394e09e1c50b0b5d02974b21bec13930c77c033a9382
Opcode Fuzzy Hash: 913dace3ebbab21af1e3791ab11f6c62dd68eeff32ddfda3dcc4775a22911a7d
Instruction Fuzzy Hash: 592148B19003199FCB10DFA9C880BDEBBF5FF48310F10842AE958A7250C7789944CFA4

Function 06C378F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C37988

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 98f3cd67bee587dd534165aafe6aed3ec67edba219287d09650af024b93e56e9
Instruction ID: d422b23cc45932754bfe53c3296e154016a396c4e7e0c9846a8424b45791b810
Opcode Fuzzy Hash: 98f3cd67bee587dd534165aafe6aed3ec67edba219287d09650af024b93e56e9
Instruction Fuzzy Hash: 952124B19003599FCB10CFA9C985BDEBBF5FF48320F10842AE958A7250D7789944CBA4

Function 06C379E0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C37A68

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 08ea9372942066c92299d117fd2ae840848d7bf0294ac799e00631a301191a3b
Instruction ID: e7563f273ba0a636096cc17b1ae43b66c9254050bf9ce9bb2c28f560a78530c8
Opcode Fuzzy Hash: 08ea9372942066c92299d117fd2ae840848d7bf0294ac799e00631a301191a3b
Instruction Fuzzy Hash: 45212AB1D003599FCB10DFA9C881BDEBBF5FF48320F50842AE559A7250C7789545CBA4

Function 06C37323 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C373A6

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5230ade06c1150cf05d3fdc11845a652219ad8c1cd01e67b38aeae2ec1e73956
Instruction ID: 1d6864011772a35e31928bffc7836a9bc4b431965cd8fee07d3e6daf7b530738
Opcode Fuzzy Hash: 5230ade06c1150cf05d3fdc11845a652219ad8c1cd01e67b38aeae2ec1e73956
Instruction Fuzzy Hash: 362137B1D003199FDB50DFAAC4857EEBBF4EF48324F14842AD859A7240CB789944CFA5

Function 00CAD1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CAD5B6,?,?,?,?,?), ref: 00CAD677

Memory Dump Source

Source File: 00000009.00000002.1923707897.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_YDKFDa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 39bb7caa2f8e443acdaf01c1dc08144a6108901461f285e3aae0f095223abdd9
Instruction ID: 82844bf45906d16690a757bf49ac7a4cf7bb82f181ee13640906f91d27dce2d8
Opcode Fuzzy Hash: 39bb7caa2f8e443acdaf01c1dc08144a6108901461f285e3aae0f095223abdd9
Instruction Fuzzy Hash: 7721E4B5900249DFDB10CF9AD584ADEBFF8EB48314F14841AE919A7310D374A940CFA5

Function 06C37328 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C373A6

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 51c9e83df11ea54e99e079ec73879c06aa8a2383507786ac52024807226ba058
Instruction ID: ac2db1734fd47a85be03d3ad29874a9ff09f4f7493d5cd094dc21f9fa1df1c4b
Opcode Fuzzy Hash: 51c9e83df11ea54e99e079ec73879c06aa8a2383507786ac52024807226ba058
Instruction Fuzzy Hash: CA2137B1D003198FDB50DFAAC4857EEBBF4EB48320F10842AD859A7240C7789944CFA5

Function 06C379E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C37A68

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4951aa878a7fc2f7e14095910c5d3e63b07a9ee8e8d73ddef76adfd9b5548887
Instruction ID: 67f11d98bd4560326887c60a739eef69c6970dc3ce535aa8d5001341a4dbff43
Opcode Fuzzy Hash: 4951aa878a7fc2f7e14095910c5d3e63b07a9ee8e8d73ddef76adfd9b5548887
Instruction Fuzzy Hash: 152139B1D003599FCB10DFAAC880AEEFBF5FF48320F10842AE558A7250C7789544CBA4

Function 052BAE87 Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

@, xrefs: 052BAFAF

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f50481b83f5200e6208818285deb40593bd516efa35963e91105b8f7857ed1f5
Instruction ID: f4dd4cff3a02a0608c9f4e144367f17702564d6fd630d4d97d7ba217f9c89dfb
Opcode Fuzzy Hash: f50481b83f5200e6208818285deb40593bd516efa35963e91105b8f7857ed1f5
Instruction Fuzzy Hash: 89E1A074E142198FDB60CFA9C881AEDBBF2BF48354F1491AAD819E7345D731A981CF50

Function 06C37830 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C378A6

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb0ac65fda9c6e27760a5439db21f7b78a2da3230d5b5d43021c661f6b2504a5
Instruction ID: 6c603b6e7e8a2be2e1eae9433884a2b49802e079fcec3ab5c98abbc2eb14aff6
Opcode Fuzzy Hash: cb0ac65fda9c6e27760a5439db21f7b78a2da3230d5b5d43021c661f6b2504a5
Instruction Fuzzy Hash: 1C1147B19002489FCB10DFA9C844AEEBBF5EB88320F24881AE555A7250C7759940CFA5

Function 06C37273 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C372DA

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c79869532c6660e00d7a35d94a8ac00834ebde555745b7a2edc8f82274c8f8fb
Instruction ID: d7e73cea3f15c35dc4a32708f8334f047e518793ef734140ac3ea4e989c000da
Opcode Fuzzy Hash: c79869532c6660e00d7a35d94a8ac00834ebde555745b7a2edc8f82274c8f8fb
Instruction Fuzzy Hash: F01158B1D003588FCB20DFAAC9457DEFBF8AB88324F20841AD459A7250CB79A544CBA4

Function 06C37838 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C378A6

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 443cbc4d4b410fb5a2153f721dd7cdf681744bad9b2383d7cb6078ddf5b29b7c
Instruction ID: d18e91085f265e3860940622beb9890b89a0a5712bc16af8bb0409bd06bee68e
Opcode Fuzzy Hash: 443cbc4d4b410fb5a2153f721dd7cdf681744bad9b2383d7cb6078ddf5b29b7c
Instruction Fuzzy Hash: 431137B19002499FCB10DFAAC844BDEBFF5EF88320F24881AE559A7250C775A944CFA5

Function 06C37278 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C372DA

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d9957d93b15ac669e67794208c9aa6abc1f29576ae00ce559b23e50b215c946a
Instruction ID: 5960e88c7e5b5027120013e18e544235c15784a525d24b679bb11ffe67eef00a
Opcode Fuzzy Hash: d9957d93b15ac669e67794208c9aa6abc1f29576ae00ce559b23e50b215c946a
Instruction Fuzzy Hash: DC1128B19002598FCB20DFAAC5457DEFBF8AB88324F20841AD459A7250CB75A544CBA4

Function 00CAAEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CAAF5E

Memory Dump Source

Source File: 00000009.00000002.1923707897.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ca0000_YDKFDa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4e405df1ddbb07e1872a27821d9f65e5ab6da6f629f0985e9c4ede1ed4ff273d
Instruction ID: 771bc15a4105f09425d83e032988400331be5bc05c9ea254e8beb770afdadc0d
Opcode Fuzzy Hash: 4e405df1ddbb07e1872a27821d9f65e5ab6da6f629f0985e9c4ede1ed4ff273d
Instruction Fuzzy Hash: 1611F2B5C007498FCB14CF9AD844ADEFBF4EF89328F10846AD469A7210C379A645CFA5

Function 06C36448 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C3B245

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 918e6eab83adebcc4f8c5533bdfaeb20541873afbeae660ce8a2b77b00b4fae7
Instruction ID: ffe83dbfbbe363af28ad98bff90cd30858959a53ccfb233f6fa7e6e4ac621c8b
Opcode Fuzzy Hash: 918e6eab83adebcc4f8c5533bdfaeb20541873afbeae660ce8a2b77b00b4fae7
Instruction Fuzzy Hash: 1A11F2B58007589FDB50DF9AC948BDEFBF8EB58324F10841AE558A7210C375AA44CFA5

Function 06C3B1E3 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C3B245

Memory Dump Source

Source File: 00000009.00000002.1989773908.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_YDKFDa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6b4562b7809616cafea33711537fa2303ec775242916d294e6668a0cb2501a64
Instruction ID: d5c5966c4045238b2738485aef7268d139df0c06fde57acb3e9e50511b29873b
Opcode Fuzzy Hash: 6b4562b7809616cafea33711537fa2303ec775242916d294e6668a0cb2501a64
Instruction Fuzzy Hash: E91103B58003489FCB50CF9AC948BDEFBF8EB48324F10841AE958A7210C375A984CFA5

Function 052B9C46 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

LRkq, xrefs: 052B9CC2

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 72565bc9939a83940e2df9ac816651779033e1d9021459bf08354e13cea9e970
Instruction ID: d11b8397bfd8334e41c082bebc33a6d7bfdaa6518f95a26cddfb6b3ca3d115ae
Opcode Fuzzy Hash: 72565bc9939a83940e2df9ac816651779033e1d9021459bf08354e13cea9e970
Instruction Fuzzy Hash: 1791E274E142198FDB04DFA9D480AEDBBF2EF88354F20842AD919E7355EB759942CF40

Function 052BA6D8 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8oq, xrefs: 052BA779

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: 8oq
API String ID: 0-3198120224
Opcode ID: 7f9da02546d021fbfc7752873276074ebc99c8c0201ad5abd341756370953014
Instruction ID: f700e44279cd8bccec9f9221bc7018b70f205a9fbea7ae41f4cdb1677ac63cc5
Opcode Fuzzy Hash: 7f9da02546d021fbfc7752873276074ebc99c8c0201ad5abd341756370953014
Instruction Fuzzy Hash: 1741E774E151099FEB14DFA8D9819EEBBF2FF88304F248029E905A7350DB75A942CF50

Function 052BB4B0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tekq, xrefs: 052BB51B

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 53bc3a19cc85363918273fc24b1499d2876f5ec03dca299df8cb8066be2aa4a5
Instruction ID: cef05224c1bab41d04942d0d5b34175d556312598d185aa0e09ee67bf70211b0
Opcode Fuzzy Hash: 53bc3a19cc85363918273fc24b1499d2876f5ec03dca299df8cb8066be2aa4a5
Instruction Fuzzy Hash: CF115A71B0020A8BDF14EFB999105EFB6B6BF88350F204079C505E7294EB75DE01CBA1

Function 052B91F0 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

6, xrefs: 052B9204

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: ec63cd7232b7cd7e66cffa2748fde3920c85a504c1bd5973bf42a18e4520c1bf
Instruction ID: 83feb231fea07a089cca70606a024b2a16015e1036de422b230ec38ddfe7d5b1
Opcode Fuzzy Hash: ec63cd7232b7cd7e66cffa2748fde3920c85a504c1bd5973bf42a18e4520c1bf
Instruction Fuzzy Hash: 02E0C230D16209DBDF10DFB5E5486ED7BB8EB05382F008194D90A93240EBB01ED0DF91

Function 052BD2F8 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

m, xrefs: 052BD30C

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 82da57c3994b57be750db1da9646cfd39eb17bc8a0db7b1fca20a0fa32c47732
Instruction ID: e717fc55ed04f7caf7830dd666e52ace6fa71de350eb66492e0b172386524a65
Opcode Fuzzy Hash: 82da57c3994b57be750db1da9646cfd39eb17bc8a0db7b1fca20a0fa32c47732
Instruction Fuzzy Hash: 91E0C230E1610CDBDB08EFB5D4047EC7BB9AF01740F1042A5C80993241EAF01E44DF41

Function 052B9EE0 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

7, xrefs: 052B9EF4

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 8b8fac3b8866aae3ae24174d5bee06dcc17dbc76ace1970468614dac38626b76
Instruction ID: b98c03bce036ccb7ce52f7936911fd07bac7f7465e951d4d5abc909a4f97b787
Opcode Fuzzy Hash: 8b8fac3b8866aae3ae24174d5bee06dcc17dbc76ace1970468614dac38626b76
Instruction Fuzzy Hash: 3AE0C23091A20DDBEB10EFB5D4486EC77BCAF01394F004595C90993280EAF11EC4DB91

Function 052BCE48 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3244d120d0de19a9075d07cc8c40874c02e77d161ef0103bb13c8d2857b87e76
Instruction ID: 3fc13263f5935ed3e11876167bab4740462c685a6317257f76c168304203f62d
Opcode Fuzzy Hash: 3244d120d0de19a9075d07cc8c40874c02e77d161ef0103bb13c8d2857b87e76
Instruction Fuzzy Hash: A631F271A093889FDB06DB78DC588AD3FF5EF4624071944EBD449CB263EA748D02C752

Function 052BE408 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3690c1a9019eb9fa99c1729c876b811e77f568eb30dc7edc31375f0ff9e69530
Instruction ID: 5682ebab8563d911fd8ca2d6800c19d8aa92783c5cd88741162afaea09523b69
Opcode Fuzzy Hash: 3690c1a9019eb9fa99c1729c876b811e77f568eb30dc7edc31375f0ff9e69530
Instruction Fuzzy Hash: 1C412774E101198FEB04DFA9D480AEEB7F6EF88310F158469E819E7350EB75AA01CB91

Function 052B8E58 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f6e13c251d44dd247e45d8405ec0d29462b65e7c6b7e6263aa15d30d32dbde
Instruction ID: c779f5cc6c387386c63c8f934b4c0d2e2fadb4f62ae90f678897c9c05fe9570c
Opcode Fuzzy Hash: 30f6e13c251d44dd247e45d8405ec0d29462b65e7c6b7e6263aa15d30d32dbde
Instruction Fuzzy Hash: E7410374E2120A8FDB04DFBAE8545EEBBF6FF49341B148426E90AE3254EB74D900CB50

Function 052BE403 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9274dc96ccfb7d2a0460b0017ec0b1610e91c7edf9a67c317c81fc9bf8be16
Instruction ID: 7525fb72921762b26f8bece2091104a033f8f89f7d8acf50b1acf084f5a85b29
Opcode Fuzzy Hash: ad9274dc96ccfb7d2a0460b0017ec0b1610e91c7edf9a67c317c81fc9bf8be16
Instruction Fuzzy Hash: 5F413834E101099FEB04DFA9D481AEEB7F6EF88350F15C469E419E7350EB75A902CB91

Function 052BA2B4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726422ccc895dbeb7e486ac198ebd096d8313c375d1bbae1d5fd92531164fb62
Instruction ID: a7ecde3af5556d1d1ed7bdfba899bc259b41c337a2f69fb49da0d5cb2fb05172
Opcode Fuzzy Hash: 726422ccc895dbeb7e486ac198ebd096d8313c375d1bbae1d5fd92531164fb62
Instruction Fuzzy Hash: 3C21EF70F002499FDB16EB7A98588BFBBF7EFC93507148829D85AC7245EE348D058751

Function 052B49E9 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0810caa04f5456276932cc4edfb6e34d07ed6ba27269cf0147f79c9b184a7ea3
Instruction ID: 90b5824d3440d67a0903becf53ff27084cbfdc896fa2d81adcd9ee4bd62c6656
Opcode Fuzzy Hash: 0810caa04f5456276932cc4edfb6e34d07ed6ba27269cf0147f79c9b184a7ea3
Instruction Fuzzy Hash: 5A31BF31A00109DFDF04EFA8D984AEDBBB2FF48360F108029E502BB265C7719D45CBA4

Function 052BAD81 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2886923235d8183bc7f0ac67b5126d6eda821726df7fbf0390df4e60b29d0dc9
Instruction ID: 36756b6891fb38bc72bc89d18edc6e5272d613a019c363f0a172d423bcf8303e
Opcode Fuzzy Hash: 2886923235d8183bc7f0ac67b5126d6eda821726df7fbf0390df4e60b29d0dc9
Instruction Fuzzy Hash: EB315AB4E1520A9FDB50CFA9D5846EEBBF1BF08341F14846AD819E7200E7759A40CFA0

Function 0094D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1851893468.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_94d000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881f1858a550317dc8ddda8be7261da76c9a1237192c4afa605c1a9ca2b71bad
Instruction ID: 0eeea2415a433739dfcd07d8ec02255ed8b45bcebb321d803790bfb4e2566788
Opcode Fuzzy Hash: 881f1858a550317dc8ddda8be7261da76c9a1237192c4afa605c1a9ca2b71bad
Instruction Fuzzy Hash: C4213B79604200DFDB05DF14D5C4F26BBA5FB84314F20CA6DE9094B355C3BAD846CB61

Function 0094D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1851893468.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_94d000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274217d775a168a2e136345e961470c32a95637a3e10d2d6acf835a2d4a5ea2d
Instruction ID: 20d162db7593c837bcce71aaf1628a1f17254f1b7812b085bc46d39446cfc1ad
Opcode Fuzzy Hash: 274217d775a168a2e136345e961470c32a95637a3e10d2d6acf835a2d4a5ea2d
Instruction Fuzzy Hash: E021F279604200DFDB14DF14D984F26BBA5EB84314F20C96DD80A4B296C33AD847CA61

Function 052BBB3C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9695b5a93c884c5a419f5117d46e9f9198919616a02d91f32c2a50d2ec5f2445
Instruction ID: 3f1b48ab2ae50b464cf73b5247395e77d565c56a63bfbc8da6ac754969454abe
Opcode Fuzzy Hash: 9695b5a93c884c5a419f5117d46e9f9198919616a02d91f32c2a50d2ec5f2445
Instruction Fuzzy Hash: 9931DFB1D112189FEB20DF99C984BCEBBB4BF09354F24805AE408BB290C7B55885CFA5

Function 052BB6C4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b4a157dfd77d0db3e7f36cd8de7911a4c7b81c97d3e4704d26091613c8d2fd
Instruction ID: fe1f4ab2fd2ac884a410c1cd43c356e5874b3eb9756c7f87be47a4a5adaabdcc
Opcode Fuzzy Hash: 60b4a157dfd77d0db3e7f36cd8de7911a4c7b81c97d3e4704d26091613c8d2fd
Instruction Fuzzy Hash: A231C0B0D152189FEB20DF99C988BCEBBF5BF08754F24805AE409BB250C7B55885CFA5

Function 052BB843 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4754813a454715037813b9ba1aa207f55ba4a58ca3a23b60c4cf7ad2f583aef
Instruction ID: 8646bc2f631204e6982c3d9be02ca1dbf4aedf81c1c2840a449fe16dddf8395a
Opcode Fuzzy Hash: d4754813a454715037813b9ba1aa207f55ba4a58ca3a23b60c4cf7ad2f583aef
Instruction Fuzzy Hash: 522164B58046498FDB10CF9AC4487CEBBF4AF48314F14801AD948AB211D3B4A904CFA1

Function 052BA2AB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e74663048a7cd96cda7b37b17b587a75bd07e086f47e7aa0b1ae80d6d4e56d5
Instruction ID: fd26bb1309035b73208f88ca34290e978c0ee8512a3547166e19fd0258460846
Opcode Fuzzy Hash: 4e74663048a7cd96cda7b37b17b587a75bd07e086f47e7aa0b1ae80d6d4e56d5
Instruction Fuzzy Hash: 8111C175E1020A5F9B11EF7988448BFB7F7EFC43A07148929E459D7244EB708D018B60

Function 052BB988 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3abe359f1c863268dfc8bdd1bfa6e9ac54f5524c9cee35f4623765e845bc8a80
Instruction ID: bb509725fb17ad87eedbc4e216179f6490931fc0e9e7bfffffb3e0474b339de9
Opcode Fuzzy Hash: 3abe359f1c863268dfc8bdd1bfa6e9ac54f5524c9cee35f4623765e845bc8a80
Instruction Fuzzy Hash: 7211E3B5E0020A4F9B15EF7998848BFBBB7FFC43607144629D469D7240EB708E0687A0

Function 0094D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1851893468.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_94d000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f8889264f563c373c58121073ca5916c4e4fd413b6f568be4a09ff12c5f7a8
Instruction ID: 18ea82734e243820873b90b25611466793a1e8717af1baf9143e5403ae2cf3c0
Opcode Fuzzy Hash: 13f8889264f563c373c58121073ca5916c4e4fd413b6f568be4a09ff12c5f7a8
Instruction Fuzzy Hash: 76215E755093808FDB16CF24D994B15BF71EB46314F28C5EAD8498F6A7C33A980ACB62

Function 052BB8B4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0d14555d9a5e4f0335b361e8e021540b5e27fdf7438746e8115402dbb19e62
Instruction ID: 97b4e51987004f1fd4fa0e78d2f98b597d334c2fe4ef08eaaa270b0e5221a5aa
Opcode Fuzzy Hash: fb0d14555d9a5e4f0335b361e8e021540b5e27fdf7438746e8115402dbb19e62
Instruction Fuzzy Hash: 2C2103B59043499FDB10DF9AD844ADEBBF4FB48350F10842AE919B7210C3B5A944CFA5

Function 0094D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1851893468.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_94d000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e7e9729a33ecfbe1e89e7c88148092dcaf1059ba2e166721d38158f2a62a23fe
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 36118B79504280DFDB16CF14D5C4B15BBA1FB84314F24C6AAD8494B696C37AD84ACB61

Function 0093D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844741422.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_93d000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a4ef29d8e2b055909cbd5c72bfcdb19ac6e9e1ef1158fc481c973ac3d35003
Instruction ID: 6d3e2acfd504aa8ec452d6080e2bbed51610592a48e4794a5349a083d10b6a9d
Opcode Fuzzy Hash: a3a4ef29d8e2b055909cbd5c72bfcdb19ac6e9e1ef1158fc481c973ac3d35003
Instruction Fuzzy Hash: AE01DBB100A3409AE7114A29ED94767FFDCEF51324F18C92AED0A4A286C77DDC40CEB1

Function 052BE2E8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac35fbdefae21b75a9de931a8e2664435f77063f400eb38166d487cd4a7408f
Instruction ID: 62281bc1ba02369ee861bec26cdeaec382b11fcc0ed03cb229ef3cb582fc82ac
Opcode Fuzzy Hash: 5ac35fbdefae21b75a9de931a8e2664435f77063f400eb38166d487cd4a7408f
Instruction Fuzzy Hash: 650112B4E152099FDB44DFA9C8406EEBBF9EF48340F1481AA9819E3300EB709A01CF91

Function 052B49B3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59368e02ed609a6e577bf25dbd15a2f119dcb3768d9fe3e75692c81dd52a5a76
Instruction ID: b2f29d19f450db44c33ec14be62bac7288fdf0b6bb21f8bdd031cf5a61c6d64f
Opcode Fuzzy Hash: 59368e02ed609a6e577bf25dbd15a2f119dcb3768d9fe3e75692c81dd52a5a76
Instruction Fuzzy Hash: 000126BB4042945FE7029F18998D6D57BA1EF31398F8A40EAC5C08B533E669851EC752

Function 052BCAC1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a16f8635e7fb31180d112e6a40801a704dd3d8922f1be065e460e38f4ee096e
Instruction ID: 369b9c2492d32a9fcd32d2a65e4b2f077f8d2d50108d3c3f53f973437cb7514a
Opcode Fuzzy Hash: 6a16f8635e7fb31180d112e6a40801a704dd3d8922f1be065e460e38f4ee096e
Instruction Fuzzy Hash: 320128B4D1520A9FDB44DFA9A9552EDBBF1EF48300F1085AAD819E7241EB748E01CB51

Function 052BCAD0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9039b212d9ca48e5ed280d39289446e2e0bfa3d40ff519ed65a1ceb8234ccb0
Instruction ID: 9eb4b89275b77ba3d059499581948f866dd3100d957e78b7462b89aaece528d0
Opcode Fuzzy Hash: c9039b212d9ca48e5ed280d39289446e2e0bfa3d40ff519ed65a1ceb8234ccb0
Instruction Fuzzy Hash: ED01E4B4E1520A9FDB40DFA9E5006EEBBF5EF48301F10816A9819E3344EBB09A00CB51

Function 052BBF05 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb68e7691d152878e3dc4e215f64d106686be88701bdfb3ec4c64f7d9151ce3
Instruction ID: a5bbddae2f7f3ef7b346041ed32a5cf9a7a46907deef0a12b14c5961bb20dc32
Opcode Fuzzy Hash: bfb68e7691d152878e3dc4e215f64d106686be88701bdfb3ec4c64f7d9151ce3
Instruction Fuzzy Hash: FF01EC7081421ADFEB14CF65C4443EE7AF1BF44390F108225F869AA1A0D7B44A45CF90

Function 0093D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1844741422.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_93d000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4dc8c7e7983f37a9ad55b4d2afafc12abb5fbb4ceeec67c6fee41198f3a125
Instruction ID: 400984a3632707afe5e4f9a703ac23353eaf1867b6d1fdea3175d3083b8786b1
Opcode Fuzzy Hash: 9f4dc8c7e7983f37a9ad55b4d2afafc12abb5fbb4ceeec67c6fee41198f3a125
Instruction Fuzzy Hash: D9F062B14053449EE7108A1ADD84B62FFECEF51724F18C45AED094F286C3799844CAB1

Function 052B9178 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ba3aa7a428e3fc1b423a173ff69f472443841f845060d1c9f59f2d0ad349e9
Instruction ID: 6ef89e3f2a74e9afa67003f14b8582dd92489edf229b2dfc449022a46cd5d6b5
Opcode Fuzzy Hash: 79ba3aa7a428e3fc1b423a173ff69f472443841f845060d1c9f59f2d0ad349e9
Instruction Fuzzy Hash: 6EF03774E152099FDB40EFA8C4446AEBBF4EB48304F10C4A9D919E7340EBB5AA42DF40

Function 052BA660 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f2dfc344026d8dbde51c54963d649d4e27db4ef76795bbb88d4ae7225ab466
Instruction ID: d723cfbd150ad8ba039491bd4eed002f1c8ef71a34c1c6d963a02e173ef0b84e
Opcode Fuzzy Hash: 78f2dfc344026d8dbde51c54963d649d4e27db4ef76795bbb88d4ae7225ab466
Instruction Fuzzy Hash: BEF03CB4D1A20A9FDB45DFB999051EDBBB4FF45300F1081AAD819E3345EB705A01CF91

Function 052BBF08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3419bb603d3322fd180c1f760ea177467282e7b5b336a4f3f8732e00509cd9e8
Instruction ID: 7c1ed107247d9c40a3abddffd751b756d4de42587fe89195fbaa5c81783f7887
Opcode Fuzzy Hash: 3419bb603d3322fd180c1f760ea177467282e7b5b336a4f3f8732e00509cd9e8
Instruction Fuzzy Hash: A701AC70814219DFEB14DF65C4447EE7AF5BF44350F148525F829AA1A0D7B44A45CF94

Function 052BA670 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9b32e4d433aab18a03d2ec1d8e53a813b2d3f1d2baece8d1d481bf2c3001cb
Instruction ID: aa033782d97ca8f5a42ddb4fe65c2943c04fb47ba82dec7a11d73e47f61f5855
Opcode Fuzzy Hash: 6f9b32e4d433aab18a03d2ec1d8e53a813b2d3f1d2baece8d1d481bf2c3001cb
Instruction Fuzzy Hash: 3AF074B4E1620A9BDB44DFA9D5415AEBBF5FF48340F50916A9819E3304EBB09A00DF91

Function 052BDDF8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ce0a94f09f8758985df01a02fe061ecf17003cf0755f3426c2fcfccaaba3ca
Instruction ID: 147cb975dae0b65a31393694d2b74e70020f8c0b51cc74573c6bd47bf33cb7d8
Opcode Fuzzy Hash: 37ce0a94f09f8758985df01a02fe061ecf17003cf0755f3426c2fcfccaaba3ca
Instruction Fuzzy Hash: BFF0E7B4E1520A9FDB44DFA9D5006EEBBF5BF48340F1081699819E3304EBB19A01CF51

Function 052BB8A4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a21b66ecce6883936f6887860fbe31d51a2e6854c4ba5d73ce798fcc95c9db
Instruction ID: b0cbbd37ee66d60f93fce9b4fa2376e67695e4afd5e5b71c95f42e999869cbc6
Opcode Fuzzy Hash: 39a21b66ecce6883936f6887860fbe31d51a2e6854c4ba5d73ce798fcc95c9db
Instruction Fuzzy Hash: 6BF082716141096FAF08DF58DC459EEBFAAEF483A0B14806AE409E7214E6B1E9508754

Function 052BBFA8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e340820a5f51f1b97f85518245bd590ffa25d57d41342229e099f027d2276c5e
Instruction ID: 436b368915159a7e5076f213527177fcc0fbf8c881376e0a2c51dd3018fd219c
Opcode Fuzzy Hash: e340820a5f51f1b97f85518245bd590ffa25d57d41342229e099f027d2276c5e
Instruction Fuzzy Hash: 51E06D727041286F9304DA6EDC84D6BBBEDFBCC670311807AF508C7310D9319C00C6A0

Function 052BE280 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e90c2a484f3cf8353e553dfff121318cf88d78bbc1c9c44e692513f9913bd5
Instruction ID: 4f0c996aaea7f49a1dee38d12ce306c02514359c03369bffca245c5ee6137d17
Opcode Fuzzy Hash: 60e90c2a484f3cf8353e553dfff121318cf88d78bbc1c9c44e692513f9913bd5
Instruction Fuzzy Hash: 51F0B2B4D25209AFDB44DFB9D8455EDBBF9EF09300F0199AAD829E3300EBB05A409F40

Function 052B9BD8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb08db2a52b8ea54585d3b24e20454b8ca393d6138b076bb22caa3123a30ff7a
Instruction ID: e3565a321fcd06083dc9c64e62c156ced200c2622a3c58e6c76e5d72b6a08924
Opcode Fuzzy Hash: eb08db2a52b8ea54585d3b24e20454b8ca393d6138b076bb22caa3123a30ff7a
Instruction Fuzzy Hash: 56F0AFB4D15219AFDB40DFAAE5456ADBBF9EB09340F1099AAD919E3200E7B05A808F40

Function 052B9BD1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c84864a30ecc142d78b2008487ff79b673c974fca0f9a8743806376cf0c711
Instruction ID: 094773217fd267788d4d4cdf5b675a39fe7587d3f2b0a22ded48b0331a451088
Opcode Fuzzy Hash: 33c84864a30ecc142d78b2008487ff79b673c974fca0f9a8743806376cf0c711
Instruction Fuzzy Hash: 1CF0D4B4D15219AFDB40DFA9E5856EDBBF5EB48340F1089AAD918E3340E7B54A81CF40

Function 052BE3B0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a38b79ef301f4e0219668cba4f4f46de07f1246e69a7103bccedd26e669051
Instruction ID: 3322afc4db461454b83339b23d89c350d754b6d00632b0e356344808cf14a840
Opcode Fuzzy Hash: a4a38b79ef301f4e0219668cba4f4f46de07f1246e69a7103bccedd26e669051
Instruction Fuzzy Hash: A4F0C970D15208EFCB54EFB9E4456EDBBF9EB09301F1195A9D409E3300E6749A40DF40

Function 052BAD38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7e60b9987c9a1defdb3d29790387099d253f8ad0ecc216a708eec074acfbae
Instruction ID: aa25e6d5ac46e7cf09555d3208cfd641620a807da8efbf1ecaa00dd63eb192f2
Opcode Fuzzy Hash: 9c7e60b9987c9a1defdb3d29790387099d253f8ad0ecc216a708eec074acfbae
Instruction Fuzzy Hash: 46E0C23091610E9BDB14EBB9E4056EC77B8BF01342F008598C80993240EBF01E84DB81

Function 052BB85C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc59611521d73ea28c5f35e8bedcb5146d589cfd7d7830d234c70835fc66829
Instruction ID: f1d2078904919b5b46c1bf833fe90ec538afd19703350729ca46e70936d0cbed
Opcode Fuzzy Hash: dbc59611521d73ea28c5f35e8bedcb5146d589cfd7d7830d234c70835fc66829
Instruction Fuzzy Hash: 72B0122A2F4101E2B800A3BC494996BD501EFB3740B149C11B38B6001484E1C865D22B

Function 052BB489 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1988573844.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_52b0000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57449de59f60f09bfc2545959f7bff3bf5001c05f3363b59f5c552ef970fe3fd
Instruction ID: 571f3c2e493619c7b239b9218a53c487e503ffc8d95784bf9ba9dd46b7ac4ce7
Opcode Fuzzy Hash: 57449de59f60f09bfc2545959f7bff3bf5001c05f3363b59f5c552ef970fe3fd
Instruction Fuzzy Hash: 8DA0113A020000AEBF022B00C80AC88BBA2FF2030830080A0A0C20A0308A22E028AB0A

Analysis Process: YDKFDa.exePID: 8124, Parent PID: 7792COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	5.1%
Total number of Nodes:	98
Total number of Limit Nodes:	8

Executed Functions

Function 0042C713 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C74A

Memory Dump Source

Source File: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_YDKFDa.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ff58566f2d9fa89099de2cc9a3efd2b5a34b90fd3400549af8a1988bb226be77
Instruction ID: 74cb8e24429c7127855f75ede90c996c18a48c010ae6dde299821f37cfa2d592
Opcode Fuzzy Hash: ff58566f2d9fa89099de2cc9a3efd2b5a34b90fd3400549af8a1988bb226be77
Instruction Fuzzy Hash: A2E086762002147FD620EA5ADC41FDB775CDFC5714F00402AFA8877181C675791487F5

Function 01AF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01AF2DFA

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4ff844f74eb8889034fac977234c54372e0a7f8f8c16d5f7045a14561317ec9
Instruction ID: 4625fd114ce2645afef411ebfb12b3f7908b2250e060b89d6289273c21162be5
Opcode Fuzzy Hash: e4ff844f74eb8889034fac977234c54372e0a7f8f8c16d5f7045a14561317ec9
Instruction Fuzzy Hash: 5E90023260180453D11671584504707040997D0281F95C452A042459DDD7568B92A221

Function 01AF2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01AF2C7A

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d37cc8d9fca5d477c40688d7715fed5259d32aea2e4469be626d2ce555fa3794
Instruction ID: e6f1855a17781af26dec0b15052c4fa04d9ddb72a5f43a98e355ae6150167d38
Opcode Fuzzy Hash: d37cc8d9fca5d477c40688d7715fed5259d32aea2e4469be626d2ce555fa3794
Instruction Fuzzy Hash: D790023260188842D1157158840474A040597D0341F59C451A442469DDC7958AD17221

Function 01AF35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01AF35CA

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14aa96d6fe81f173833dd3f96c73bbad369f6539ac263bb21a4b5f5004c56873
Instruction ID: b04df8a08ad3cdf8b76ac190a7bf45585467035e4dd658d6c6a6510aebb4f1f9
Opcode Fuzzy Hash: 14aa96d6fe81f173833dd3f96c73bbad369f6539ac263bb21a4b5f5004c56873
Instruction Fuzzy Hash: 03900232A0590442D10571584514706140597D0241F65C451A04245ADDC7958B9166A2

Function 0042CA83 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CABF

Strings

!fA, xrefs: 0042CA86

Memory Dump Source

Source File: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_YDKFDa.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: !fA
API String ID: 3298025750-4105324770
Opcode ID: 3f71c8c9f87e6b8285d4c5ad0f58e99df957fb1716898f095b35ca35d33033ff
Instruction ID: 1e4aba11d5c0ccdbf7a67024826715e9db936d78db8835abece5e02299c29402
Opcode Fuzzy Hash: 3f71c8c9f87e6b8285d4c5ad0f58e99df957fb1716898f095b35ca35d33033ff
Instruction Fuzzy Hash: 6AE06DB62042047BD714EE59DC41EAB37ACEFC5714F000019FA08A7241D670B9108BB4

Function 004178E3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417955

Memory Dump Source

Source File: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_YDKFDa.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b693ed89f4e9785a237846af1f345434269f374b70b3ff8db407c0a2a3d3851e
Instruction ID: b1debd7875aa39e42b6ba1488dcb691615432184dc90df6611ff2312ace15cfe
Opcode Fuzzy Hash: b693ed89f4e9785a237846af1f345434269f374b70b3ff8db407c0a2a3d3851e
Instruction Fuzzy Hash: 840112B5E1020DA7DB10DAA5DC42FDEB7789B54308F4041A6E90897241F635EB588B95

Function 0042CA33 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E694,?,?,00000000,?,0041E694,?,?,?), ref: 0042CA72

Memory Dump Source

Source File: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_YDKFDa.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 827ad30f3f0474cac9348308e8d2ce981deded8197616a5ffcdebe9d0b8923f8
Instruction ID: 1f729a9eb2238079f11578e9ee1fe9b2e85e8e01a775daacb08f3c7869812e9d
Opcode Fuzzy Hash: 827ad30f3f0474cac9348308e8d2ce981deded8197616a5ffcdebe9d0b8923f8
Instruction Fuzzy Hash: 33E065B2204204BBE714EF59EC81FAB37ACEFC9710F004119FA08A7242C670B9108BB8

Function 0042CAD3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042CB0A

Memory Dump Source

Source File: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_YDKFDa.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: cb0ccc95c75b4fe4c600b8398c292feadcb32f9aaa21b0e37cd4cd8865bbb369
Instruction ID: 321f1c1e9d56fc412e46f5e1dc841546a89ae2c1970867f909047b56a3235263
Opcode Fuzzy Hash: cb0ccc95c75b4fe4c600b8398c292feadcb32f9aaa21b0e37cd4cd8865bbb369
Instruction Fuzzy Hash: 41E04F712006147BC220EA5ADC41F9B775CDFC5724F004029FB18A7141DA70B90087F5

Function 01AF2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01AF2C24

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4293b01e6a8cf9ddca5b47cec5957ec832de4092bc543dbd5c5989e81f0dd20f
Instruction ID: 50d04c62b374d11386772dcbafa7f41cb499096691ee4a25885e43abf00dbcb7
Opcode Fuzzy Hash: 4293b01e6a8cf9ddca5b47cec5957ec832de4092bc543dbd5c5989e81f0dd20f
Instruction Fuzzy Hash: E3B09B72D019C5C5DA16E7A446087177D00B7D0741F15C076E3030686F8738C5D1E275

Non-executed Functions

Function 01AF4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43cbe1bdcb8e10c698f962277132892c8a30dd586c7d7df7e37fdea6b56ab73
Instruction ID: a12443446d09224e728f8999279bf5d5caf9e78f602ed6201a16c79eeafef76f
Opcode Fuzzy Hash: b43cbe1bdcb8e10c698f962277132892c8a30dd586c7d7df7e37fdea6b56ab73
Instruction Fuzzy Hash: 70900232A05C00529145715848845464405A7E0341B55C051E0424599CCB148B965361

Function 01AF4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef48d3dee61833e0455841e0436e7a38f1afb0a3d8a717206c54312fdfcb5e58
Instruction ID: e703d5ef34a8f9766725669a971cddb0da5a9b506aa7fe589aa9ccb8eb0ce052
Opcode Fuzzy Hash: ef48d3dee61833e0455841e0436e7a38f1afb0a3d8a717206c54312fdfcb5e58
Instruction Fuzzy Hash: 21900262A01900824145715848044066405A7E1341395C155A05545A5CC7188A959369

Function 01AF2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb24a0fb3495b775a1e35f9d45a0fceac8b225d336e59759c6826cd7439d4c04
Instruction ID: ced731cc928cfa143a19720919211be567d4689f0956f32bd92dd1747561110f
Opcode Fuzzy Hash: cb24a0fb3495b775a1e35f9d45a0fceac8b225d336e59759c6826cd7439d4c04
Instruction Fuzzy Hash: AA900232A0580842D15571584414746040597D0341F55C051A0024699DC7558B9577A1

Function 01AF2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846802bf6f6255640368420433303c5fd5f09099e0ee80c26d2f32e8dc4aca3b
Instruction ID: ad1a6fa0815f026d9ad99fc5011f1abf5ea8d1ea3c8438e3ac660859a09a8d8c
Opcode Fuzzy Hash: 846802bf6f6255640368420433303c5fd5f09099e0ee80c26d2f32e8dc4aca3b
Instruction Fuzzy Hash: 2590023260180842D10971584804686040597D0341F55C051A602469AED7658AD17231

Function 01AF2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8435e5a7056b0c8689feb77a97e9dccdeec74bcfeca016f11c71697055ce34a3
Instruction ID: 15516548470ec48ef1d3419e9a71eba73f05c6a52ce0b5bcd8d36894af013707
Opcode Fuzzy Hash: 8435e5a7056b0c8689feb77a97e9dccdeec74bcfeca016f11c71697055ce34a3
Instruction Fuzzy Hash: FD90023260584882D14571584404A46041597D0345F55C051A00646D9DD7258F95B761

Function 01AF2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4093725da007f47b0569a1f7968c934daaf0d3c61ff0b3e3ce01047b4b39e8
Instruction ID: a787c8704dc1b662fff80193c6c8a817af6f8f963a911a7f5f2e4f3ff8b5c5a1
Opcode Fuzzy Hash: da4093725da007f47b0569a1f7968c934daaf0d3c61ff0b3e3ce01047b4b39e8
Instruction Fuzzy Hash: 9090023260180842D1857158440464A040597D1341F95C055A0025699DCB158B9977A1

Function 01AF2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b2088d070ae7e6ba56f437aab096d46d2282297eaedcc1dc6655e75a02b7f4
Instruction ID: 5c96aef408457ed280fd3883dcbc858769536541f53640441b60911387e76d72
Opcode Fuzzy Hash: e0b2088d070ae7e6ba56f437aab096d46d2282297eaedcc1dc6655e75a02b7f4
Instruction Fuzzy Hash: 0890026260280043410A71584414616440A97E0241B55C061E10145D5DC6258AD16225

Function 01AF2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c60a789e449657a5dd6de8bac6be97ed77ae8785bf166f0a837bdc70a1f3de5
Instruction ID: bac177237088708c79e3e084b29b6a71a866b31d5ca82231a11d8d1ae8f23b85
Opcode Fuzzy Hash: 4c60a789e449657a5dd6de8bac6be97ed77ae8785bf166f0a837bdc70a1f3de5
Instruction Fuzzy Hash: 1A9002A2601940D24505B2588404B0A490597E0241B55C056E10545A5CC6258A919235

Function 01AF2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d330f372cad1043599477ea9bc9d1dca98cb34d053b26776f2f69c2bf645c2
Instruction ID: 71fe7fcd46c21bd3f7af364d6472a49690d192cc20b30bc9eceac01b21c4195f
Opcode Fuzzy Hash: a5d330f372cad1043599477ea9bc9d1dca98cb34d053b26776f2f69c2bf645c2
Instruction Fuzzy Hash: C690022662180042014AB558060450B0845A7D6391395C055F14165D5CC7218AA55321

Function 01AF2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf001f3bf81c96ccf95a41d9d6a8b0b4f6d8823517c08ba0d2a6f39fdd24825
Instruction ID: a3c272fc3d6753fe34b9cc7c6855d88a1e06743edefd4e4e3b63caa25826aef2
Opcode Fuzzy Hash: 2cf001f3bf81c96ccf95a41d9d6a8b0b4f6d8823517c08ba0d2a6f39fdd24825
Instruction Fuzzy Hash: 9790022661180043010AB5580704507044697D5391355C061F1015595CD7218AA15221

Function 01AF2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93094178b70dd2280a70af3699a192e9de943d4890cbe309ab889102ff35e239
Instruction ID: 6c6e80d6a6a8c04cdc40e59521c1cc6cc2b0b11f820066e2089137e7868e111b
Opcode Fuzzy Hash: 93094178b70dd2280a70af3699a192e9de943d4890cbe309ab889102ff35e239
Instruction Fuzzy Hash: 7B90023264180442D146715844046060409A7D0281F95C052A0424599EC7558B96AB61

Function 01AF2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdeafcfaff5bd443f8cd98f5972ae45d3ad3602931c77fb7cba3fc346bce335
Instruction ID: e5d1d78cb13ca353faa0c69b5a9c1c7250b73d7208235d7124401e21932a6232
Opcode Fuzzy Hash: 4bdeafcfaff5bd443f8cd98f5972ae45d3ad3602931c77fb7cba3fc346bce335
Instruction Fuzzy Hash: 9D90022264284192554AB15844045074406A7E0281795C052A1414995CC6269A96D721

Function 01AF2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf671421cf7985266ba78a0a25ad85213c5620e0ad04b460ae26b652b15bb91
Instruction ID: aa3f59700df4ea21a01dafbe71f5485e58c6fab93c16e0c4866a49b8f115c78e
Opcode Fuzzy Hash: 5cf671421cf7985266ba78a0a25ad85213c5620e0ad04b460ae26b652b15bb91
Instruction Fuzzy Hash: ED90022270180043D145715854186064405E7E1341F55D051E0414599CDA158A965322

Function 01AF2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d9b0c81aeb8280888ab7d409652f8948c75d4cde9cf1f4c6275d11658ac48e
Instruction ID: 78eedb609621eddc6d8bd675da3f2f1c955e7953674934a60348ff937699882e
Opcode Fuzzy Hash: 92d9b0c81aeb8280888ab7d409652f8948c75d4cde9cf1f4c6275d11658ac48e
Instruction Fuzzy Hash: 9390022260584482D10575585408A06040597D0245F55D051A10645DADC7358A91A231

Function 01AF2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8d68a826b632640ce244288d28c60dcbb5078a5f2813083568e56899e98a0c
Instruction ID: 48fa016c9bf58239440e6d3bd13181afdc0d132546e264381c36be62bb87256a
Opcode Fuzzy Hash: 7a8d68a826b632640ce244288d28c60dcbb5078a5f2813083568e56899e98a0c
Instruction Fuzzy Hash: 9990022A61380042D1857158540860A040597D1242F95D455A001559DCCA158AA95321

Function 01AF2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159f5254c83419512b5514a1806c67b4c11f14a36bfe8d693edac6c92facc208
Instruction ID: d83596a00b7945e667c191641d7a3ad0f3ebe2c5bb572e97272288d31da4b23f
Opcode Fuzzy Hash: 159f5254c83419512b5514a1806c67b4c11f14a36bfe8d693edac6c92facc208
Instruction Fuzzy Hash: 5590023260180442D10575985408646040597E0341F55D051A502459AEC7658AD16231

Function 01AF2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b880c149d6a1ad6b752bc68d309ff2d5de499c9d65d728ac342f7752afa7742
Instruction ID: 7d93026be31d2861d627a812e2804fc54f9aa4c8db82d4a3307d4d429d870c0c
Opcode Fuzzy Hash: 6b880c149d6a1ad6b752bc68d309ff2d5de499c9d65d728ac342f7752afa7742
Instruction Fuzzy Hash: CE90023260180443D10571585508707040597D0241F55D451A042459DDD7568A916221

Function 01AF2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b8cc1bede362571fc3d4b79d8c77ec43889ff5c68f65cfecad7713ffd71926
Instruction ID: 090fa2b0a5639f90bfd4b1f43fbfc1c633091e0660211191b9d64b38dfae0e55
Opcode Fuzzy Hash: 56b8cc1bede362571fc3d4b79d8c77ec43889ff5c68f65cfecad7713ffd71926
Instruction Fuzzy Hash: 08900222A0580442D14571585418706041597D0241F55D051A0024599DC7598B9567A1

Function 01AF2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37f7e4c6d084b94c649bed0da3c3de3148cfa6959070f3c43cdfc18b8662b28
Instruction ID: 20be5e3b3166570e713eecb5a4981eef92eae745aa13dae647b8b9becddc8d36
Opcode Fuzzy Hash: a37f7e4c6d084b94c649bed0da3c3de3148cfa6959070f3c43cdfc18b8662b28
Instruction Fuzzy Hash: 5590023260180882D10571584404B46040597E0341F55C056A0124699DC715CA917621

Function 01AF2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fb8a58c6047b7c74132ae7caa7289b32c4d3b1b87aba9a3780f2892b6f7ece
Instruction ID: 26059bc958de6bfdc2ce077244d39d6ff4592bc0cf9541c24c2e0db5b0d09e91
Opcode Fuzzy Hash: 72fb8a58c6047b7c74132ae7caa7289b32c4d3b1b87aba9a3780f2892b6f7ece
Instruction Fuzzy Hash: A2900232601C0442D10571584808747040597D0342F55C051A516459AEC765CAD16631

Function 01AF2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163c28eaed26d21f741ee6b2064e37363cd6a670ae6254c2151c5b420156ae44
Instruction ID: 1336aab368ed1ba5b40453f04e8f27da38a4843bdc25962be64c934d0a189a7c
Opcode Fuzzy Hash: 163c28eaed26d21f741ee6b2064e37363cd6a670ae6254c2151c5b420156ae44
Instruction Fuzzy Hash: 6E900222A01800824145716888449064405BBE1251755C161A0998595DC6598AA55765

Function 01AF2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65e50270daa2bb95435b3c58ee2dd5f4ef9af8c6dea53c00085e213f38ca63b
Instruction ID: e3d722858902d8bb0b2818b5d445f1c80ac136f3e5b8bed2622549d44c60200e
Opcode Fuzzy Hash: a65e50270daa2bb95435b3c58ee2dd5f4ef9af8c6dea53c00085e213f38ca63b
Instruction Fuzzy Hash: F9900232601C0442D1057158481470B040597D0342F55C051A116459ADC7258A916671

Function 01AF2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac0af7c958f8f0bdba1e2704fb4a5c01c964cfc1d59640d9d8470c9e53dcb91
Instruction ID: 833ddf8ed4b81c7a396ddd0d2e2a803ca5e8e2b66eb9027f8d7c1340a86cc52f
Opcode Fuzzy Hash: 1ac0af7c958f8f0bdba1e2704fb4a5c01c964cfc1d59640d9d8470c9e53dcb91
Instruction Fuzzy Hash: 57900222611C0082D20575684C14B07040597D0343F55C155A0154599CCA158AA15621

Function 01AF2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9cb88b942b682415916452ed00147050de33a9a4a7b6ebc32d11a252a15629
Instruction ID: 14060e5e22a0f02ff0ed41e3075afa9906c756b2e3af70eeabba2b96cda46948
Opcode Fuzzy Hash: 8b9cb88b942b682415916452ed00147050de33a9a4a7b6ebc32d11a252a15629
Instruction Fuzzy Hash: E190026274180482D10571584414B060405D7E1341F55C055E1064599DC719CE926226

Function 01AF2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa3615c7fd2bb64a69ab3fa57336baf0d972abb99d35b2a5005a36baa873813
Instruction ID: 3091b2df3532f631e640ff903c121f2cbd62d1d87f0cb57d4afcebbac3ab1dad
Opcode Fuzzy Hash: 8aa3615c7fd2bb64a69ab3fa57336baf0d972abb99d35b2a5005a36baa873813
Instruction Fuzzy Hash: 7690026261180082D10971584404706044597E1241F55C052A2154599CC6298EA15225

Function 01AF2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcff8806188d88e013620f011c8621efccd10cbafd6440531641b1ebe061c072
Instruction ID: f98de20f1c0d4d2f4f9fcb468e5053ba30529a6935d88780b0236d6d76bee596
Opcode Fuzzy Hash: fcff8806188d88e013620f011c8621efccd10cbafd6440531641b1ebe061c072
Instruction Fuzzy Hash: 1E90027260180442D14571584404746040597D0341F55C051A5064599EC7598FD56765

Function 01AF2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc9327e1e374a4245cadade8c0f0d1b42b9be55cb28bee0617ffdb3a3a24926
Instruction ID: 1caedc964de7fb8b4424711dd73c0e91aaaa538642a18c914ead6c804e2b9d9f
Opcode Fuzzy Hash: 2bc9327e1e374a4245cadade8c0f0d1b42b9be55cb28bee0617ffdb3a3a24926
Instruction Fuzzy Hash: 51900222A0180542D10671584404616040A97D0281F95C062A102459AECB258BD2A231

Function 01AF2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2c8571896961ed634c8704205e6cad7ba91f83d07eaf06db9f0ba49104ce3c
Instruction ID: b2fdbcf6edff2816614b1c2ec5b9cfea2ef5c514686f7765c50a3708f16b110c
Opcode Fuzzy Hash: 1c2c8571896961ed634c8704205e6cad7ba91f83d07eaf06db9f0ba49104ce3c
Instruction Fuzzy Hash: 40900262601C0443D14575584804607040597D0342F55C051A206459AECB298E916235

Function 01AF2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b400f949e3b304fe1441fb17d2424bf7e247a72e1f6604f804b42b644789540e
Instruction ID: 677173c7911cb85eb0c48e3bc8f13e194e831d74a16dadf0353e09945efdf384
Opcode Fuzzy Hash: b400f949e3b304fe1441fb17d2424bf7e247a72e1f6604f804b42b644789540e
Instruction Fuzzy Hash: 1290022270180442D107715844146060409D7D1385F95C052E142459ADC7258B93A232

Function 01AF3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926a8404f26061c7d4193bfb2870f7a8a5c11a1f3d4db2fbb75afe99f5b06510
Instruction ID: 09b4c82992bea4b54482c0dbb153a67acb4b3d67ba5ef94e183d6670791400e1
Opcode Fuzzy Hash: 926a8404f26061c7d4193bfb2870f7a8a5c11a1f3d4db2fbb75afe99f5b06510
Instruction Fuzzy Hash: 1D90022264180842D145715884147070406D7D0641F55C051A0024599DC7168BA567B1

Function 01AF3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d804b278630f0c976af6f5a491cde110a171a51eee00b274feb0e14729aef094
Instruction ID: 9ffb4703245dddef05847e4aeca554ec6ea0227343ae9fe593b9756f9197effc
Opcode Fuzzy Hash: d804b278630f0c976af6f5a491cde110a171a51eee00b274feb0e14729aef094
Instruction Fuzzy Hash: 94900222601C4482D14572584804B0F450597E1242F95C059A4156599CCA158A955721

Function 01AF39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a45d8f1cd9ed5c5ee5d5686c020d9c8fa8ee882b7e2f973cfb69bebb7779d4
Instruction ID: a9b9b8ee810fcd59b1b683d8fac2c926dc429860e876f0596450b941695c9dd9
Opcode Fuzzy Hash: 49a45d8f1cd9ed5c5ee5d5686c020d9c8fa8ee882b7e2f973cfb69bebb7779d4
Instruction Fuzzy Hash: DD90022264585142D155715C44046164405B7E0241F55C061A08145D9DC6558A956321

Function 01AF3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e91b7c9d3db6c6cd4ea613081d85603a88e6ee3c5b0c9ee4d1ca863a8a9a5a7
Instruction ID: 3a30424dd2b9fd0d00ac22aceab9f36e97986060f6a90be696b1b0cc66ff16ae
Opcode Fuzzy Hash: 4e91b7c9d3db6c6cd4ea613081d85603a88e6ee3c5b0c9ee4d1ca863a8a9a5a7
Instruction Fuzzy Hash: 7090023260280182954572585804A4E450597E1342B95D455A0015599CCA148AA15321

Function 01AF3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82efa76704457b1f03e0b4fe3069007869b501c5a9ee8c18085e4cd90347d58f
Instruction ID: cc25a8345ca1c29f00bf1246e3e8c3e8bab6d54e178dbc07f6032e3a2babe7f6
Opcode Fuzzy Hash: 82efa76704457b1f03e0b4fe3069007869b501c5a9ee8c18085e4cd90347d58f
Instruction Fuzzy Hash: C790023660180442D51571585804646044697D0341F55D451A042459DDC7548AE1A221

Function 01AF2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: d1c13ae296f594338205f387ca54148b2c9fe58baae30b2c71f14179e29606f6
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01AF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AF293C
___swprintf_l.LIBCMT ref: 01AF295E
___swprintf_l.LIBCMT ref: 01AF29A3
___swprintf_l.LIBCMT ref: 01B2A52E

Strings

ffff:, xrefs: 01B2A504
::%hs%u.%u.%u.%u, xrefs: 01B2A527
::ffff:0:%u.%u.%u.%u, xrefs: 01B2A54E
:%u.%u.%u.%u, xrefs: 01B2A5B8

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e07fc9a811566a6e58a2f69728ce2791a9dd5d4d103ee38c453f81e1b238d67b
Instruction ID: 831c91cb8b726f709f8a9bbbe02347a6cebabce3a4642ab2f43219ac7c85ee98
Opcode Fuzzy Hash: e07fc9a811566a6e58a2f69728ce2791a9dd5d4d103ee38c453f81e1b238d67b
Instruction Fuzzy Hash: 3C51B6B5A00156BFDB15DBEC8890A7FFBB8BB08240B54826EF569D7641D334DE4487E0

Function 01B62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B624A6
___swprintf_l.LIBCMT ref: 01B624E2
___swprintf_l.LIBCMT ref: 01B6257D
___swprintf_l.LIBCMT ref: 01B625A3
___swprintf_l.LIBCMT ref: 01B625C8
___swprintf_l.LIBCMT ref: 01B62608

Strings

::%hs%u.%u.%u.%u, xrefs: 01B6249E
ffff:, xrefs: 01B6247D, 01B6249D
::ffff:0:%u.%u.%u.%u, xrefs: 01B624DA
:%u.%u.%u.%u, xrefs: 01B625FF

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ba5834905847b45f841531f3b4c568d0e62d1ab6112b8a0dfb8a237a2e7d38dc
Instruction ID: b9d4ef648b656e219604a9d1ee896c5f8f8c665482c46c0587f6518a53dc7beb
Opcode Fuzzy Hash: ba5834905847b45f841531f3b4c568d0e62d1ab6112b8a0dfb8a237a2e7d38dc
Instruction Fuzzy Hash: 4D51F575A00646AEEF39DE5CC89097EBBFCEF54200B4484EAE5D6C7681E778DA408760

Function 01AE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01B24742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01B24725
CLIENT(ntdll): Processing section info %ws..., xrefs: 01B24787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01B24655
ExecuteOptions, xrefs: 01B246A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01B246FC
Execute=1, xrefs: 01B24713

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: c81777d40abaf58ae61cdd273aa50baf65e480a6b18a600f95af52ed8826fbdc
Instruction ID: 6fac249583febfa7464bcd1102710df9592e355e9c3f0221059b9db127670a21
Opcode Fuzzy Hash: c81777d40abaf58ae61cdd273aa50baf65e480a6b18a600f95af52ed8826fbdc
Instruction Fuzzy Hash: 95512B3160021ABAEF25ABE8DC99FBE77F8EF14314F0400D9E605AB191D7709A458F91

Function 01B86940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: 58adcf44bbb8df271d0aac8b8795565953e6a340f0454bf5623df691cefa6873
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 5F022971508342AFD709DF18C590E6BBBE5EFC8B04F148A6DFA8987254DB31E905CB52

Function 01AFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01AFB6BF

Strings

0, xrefs: 01AFB66F
+, xrefs: 01AFB65A
0, xrefs: 01AFB695
-, xrefs: 01AFB650

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 5e535ebcff1d741b9cd3143b13896f31b7315d5bfd3a2424cff256eecbaaf511
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 39817F70E062499EEF258FECC8517EEBBB2AF85360F1C415DFA51A7291C73498408BB1

Function 01B620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B6214F
___swprintf_l.LIBCMT ref: 01B62172

Strings

%%%u, xrefs: 01B62146
]:%u, xrefs: 01B62169
[, xrefs: 01B6212B

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: e082d4a0e3f9d4419f2759edc3a9150fcde8382b047d457a7acbdf7f5a8b28ee
Instruction ID: 9fc288ecf60332809f5209b09c6701d09980324c0ff99f52bfbba8d777a86018
Opcode Fuzzy Hash: e082d4a0e3f9d4419f2759edc3a9150fcde8382b047d457a7acbdf7f5a8b28ee
Instruction Fuzzy Hash: 2B213676E00119ABEB15DF69D841AFE7BFCEF64654F44019AEA05D3240E734DA018791

Function 01ADF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01B2031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01B202E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01B202BD

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: ef1bf85b57f2f4e02b4d29c58aaaa0d225b32f351932718a1cd0c3c5de0a76a7
Instruction ID: 66832531882546d511c605f4379ba2bba6e76b9085007612cccaec6754d4ba57
Opcode Fuzzy Hash: ef1bf85b57f2f4e02b4d29c58aaaa0d225b32f351932718a1cd0c3c5de0a76a7
Instruction Fuzzy Hash: AFE19E30604B419FD729DF28C884B6BBBE0FB89314F140A5DF5A68B2E1D774D949CB42

Function 01AEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01B27B8E
RTL: Re-Waiting, xrefs: 01B27BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01B27B7F

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: e113c7e07ab97d4011c3a607d19b29e7349a955a26d6f0ee23bccdfc35482aee
Instruction ID: f8e1e2c88924013f57c77dadda48f5fd1bdb6e432652198ff20c1bd1e6af53dc
Opcode Fuzzy Hash: e113c7e07ab97d4011c3a607d19b29e7349a955a26d6f0ee23bccdfc35482aee
Instruction Fuzzy Hash: CB4103317007029FDB29DF29CC58B6AB7E5EF98710F100A5DFA5AD7290DB31E8058BA1

Function 01AEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B2728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01B27294
RTL: Resource at %p, xrefs: 01B272A3
RTL: Re-Waiting, xrefs: 01B272C1

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 6e320724c53cbb3c83d82a8fc6c9b6262194c901de357e5740c2af16ace6e6ae
Instruction ID: 4b517cc34b4d0c157b0a8e9118c9d441ae567172410567587aa1eb17dc0033bd
Opcode Fuzzy Hash: 6e320724c53cbb3c83d82a8fc6c9b6262194c901de357e5740c2af16ace6e6ae
Instruction Fuzzy Hash: 19412031700217ABCB29DE29CC45B66B7E1FBA6710F100658F959EB280DB30E85687E5

Function 01B62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B6238D
___swprintf_l.LIBCMT ref: 01B623B3

Strings

%%%u, xrefs: 01B62384
]:%u, xrefs: 01B623AA

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d3b25d66010c6bcd4ec38b171c34574ff6ab182561d2cb00abaa3b1204761af0
Instruction ID: f1e3c38cd9d662e13e5094cc781fbde499de33343363a02214a47ad82dca3ef2
Opcode Fuzzy Hash: d3b25d66010c6bcd4ec38b171c34574ff6ab182561d2cb00abaa3b1204761af0
Instruction Fuzzy Hash: 2F318872A002199FDB25DE2DCC80BEE77FCFF54650F4405DAE949E3140EB349A448B60

Function 01AF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01AF7E8B

Strings

+, xrefs: 01AF7DE8
-, xrefs: 01AF7DDD

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: a806f2c4079d80ec5596c5415f0498a2988c6b138e645b6a1d3168d6d73165de
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: A491A071E0021A9AEB24DFEDC880ABEBBB5AF44720F58461EFB55E72C0D7349941CB51

Function 01AB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01AB9191
@, xrefs: 01AB9175

Memory Dump Source

Source File: 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a80000_YDKFDa.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: ea342207214798dd2c186a71e2190632107a91178ad59943f3aab0a5f1089aec
Instruction ID: 617c126d1eddb679879334fdc38cea4ce390121ed3ae0ae086de1557373ee174
Opcode Fuzzy Hash: ea342207214798dd2c186a71e2190632107a91178ad59943f3aab0a5f1089aec
Instruction Fuzzy Hash: 07811CB1D002699BDB35CB54CD45BEEB7B8AF08754F1541DAEA19B7280D7305E84CFA0

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z2PaymentAdviceD00772795264733.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_z2PaymentAdviceD_164c51a5d229aa518dd17c3de4a35bd70dfff2c_68d82f61_79e08b0e-ca07-4f91-a818-252224a5049e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD37F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3DD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD40D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YDKFDa.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z2PaymentAdviceD00772795264733.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10jtw2tl.eau.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3j4yt0gt.tnp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gsnvkha.2o3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bj43j0zf.ymy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljsnq2wn.jtt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdv1ryt4.f03.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t45vent5.t15.ps1

Windows Analysis Report
z2PaymentAdviceD00772795264733.exe