Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z52PaymentSlip.exe

Overview

General Information

Sample name:z52PaymentSlip.exe
Analysis ID:1528613
MD5:e6e226e5d3b722773e0269b3b80d3a57
SHA1:73d69cfe75a715dbff9b821fe50bd820c1ecbd0a
SHA256:74a2d7feba54ab5bc3788d420fc90cc0905f6721137fb07c071ec0d758b6b90d
Tags:exeuser-Porcupine
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Detected potential crypto function
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • z52PaymentSlip.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\z52PaymentSlip.exe" MD5: E6E226E5D3B722773E0269B3B80D3A57)
    • WerFault.exe (PID: 2916 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 1472 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: z52PaymentSlip.exeReversingLabs: Detection: 36%
Source: z52PaymentSlip.exeVirustotal: Detection: 35%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: z52PaymentSlip.exeJoe Sandbox ML: detected
Source: z52PaymentSlip.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: z52PaymentSlip.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Accessibility.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Xml.pdb0[ source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdb3 source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: tc.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: !!.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Users\user\Desktop\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Lhaz.pdbpdbhaz.pdb_ source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb# source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdbSHA256- source: z52PaymentSlip.exe
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbt source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb@ source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: n(C:\Windows\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\exe\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\Lhaz.pdb+ source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Lhaz.pdbh source: z52PaymentSlip.exe, 00000000.00000002.1804874734.00000000071CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: C:\Users\user\Desktop\z52PaymentSlip.PDB source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb' source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdba source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdbs\Lhaz.pdbpdbhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\z52PaymentSlip.PDB source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: o.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdb source: z52PaymentSlip.exe, WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdbR source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb. source: z52PaymentSlip.exe, 00000000.00000002.1804874734.00000000071CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Users\user\Desktop\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\exe\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER1EE2.tmp.dmp.4.dr
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

System Summary

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sampleStatic PE information: Filename: z52PaymentSlip.exe
Source: C:\Users\user\Desktop\z52PaymentSlip.exeCode function: 0_2_04F4D55C0_2_04F4D55C
Source: C:\Users\user\Desktop\z52PaymentSlip.exeCode function: 0_2_073800400_2_07380040
Source: C:\Users\user\Desktop\z52PaymentSlip.exeCode function: 0_2_073829000_2_07382900
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 1472
Source: z52PaymentSlip.exe, 00000000.00000000.1656080058.0000000000732000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLhaz.exed" vs z52PaymentSlip.exe
Source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z52PaymentSlip.exe
Source: z52PaymentSlip.exeBinary or memory string: OriginalFilenameLhaz.exed" vs z52PaymentSlip.exe
Source: z52PaymentSlip.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: z52PaymentSlip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb#
Source: classification engineClassification label: mal64.evad.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6196
Source: C:\Users\user\Desktop\z52PaymentSlip.exeMutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\239d71e1-6a6c-4012-8475-97db85e4526cJump to behavior
Source: z52PaymentSlip.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: z52PaymentSlip.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\z52PaymentSlip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: z52PaymentSlip.exeReversingLabs: Detection: 36%
Source: z52PaymentSlip.exeVirustotal: Detection: 35%
Source: C:\Users\user\Desktop\z52PaymentSlip.exeFile read: C:\Users\user\Desktop\z52PaymentSlip.exe:Zone.IdentifierJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\z52PaymentSlip.exe "C:\Users\user\Desktop\z52PaymentSlip.exe"
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 1472
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\z52PaymentSlip.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: z52PaymentSlip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: z52PaymentSlip.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: z52PaymentSlip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Accessibility.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Xml.pdb0[ source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdb3 source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: tc.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: !!.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Users\user\Desktop\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Lhaz.pdbpdbhaz.pdb_ source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb# source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdbSHA256- source: z52PaymentSlip.exe
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbt source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb@ source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: n(C:\Windows\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\exe\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\Lhaz.pdb+ source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Lhaz.pdbh source: z52PaymentSlip.exe, 00000000.00000002.1804874734.00000000071CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: C:\Users\user\Desktop\z52PaymentSlip.PDB source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb' source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdba source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: z52PaymentSlip.exe, 00000000.00000002.1804874734.0000000007190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdbs\Lhaz.pdbpdbhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\z52PaymentSlip.PDB source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: o.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdb source: z52PaymentSlip.exe, WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802788912.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: Lhaz.pdbR source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb. source: z52PaymentSlip.exe, 00000000.00000002.1804874734.00000000071CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Users\user\Desktop\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802433981.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\symbols\exe\Lhaz.pdb source: z52PaymentSlip.exe, 00000000.00000002.1802557677.0000000000D62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER1EE2.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER1EE2.tmp.dmp.4.dr

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: z52PaymentSlip.exe, mainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: z52PaymentSlip.exe, mainForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.z52PaymentSlip.exe.5230000.5.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.z52PaymentSlip.exe.2ac2c48.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
Source: z52PaymentSlip.exeStatic PE information: 0xE536B0FB [Sat Nov 10 20:58:35 2091 UTC]
Source: C:\Users\user\Desktop\z52PaymentSlip.exeCode function: 0_2_07386571 push ebx; retf 0_2_07386572
Source: z52PaymentSlip.exeStatic PE information: section name: .text entropy: 7.943594441024244
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeMemory allocated: 4A60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeCode function: 0_2_04F4C888 sldt word ptr [F64B18B9h]0_2_04F4C888
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Users\user\Desktop\z52PaymentSlip.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\z52PaymentSlip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		3
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory3
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
Software Packing		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
z52PaymentSlip.exe37%ReversingLabsByteCode-MSIL.Trojan.Generic
z52PaymentSlip.exe35%VirustotalBrowse
z52PaymentSlip.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.fontbureau.com0%URL Reputationsafe
http://www.fontbureau.com0%URL Reputationsafe
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designers/?0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.fontbureau.com/designers?0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe
http://www.fontbureau.com/designers0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.fontbureau.com/designers80%URL Reputationsafe
http://www.fonts.com0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.fontbureau.comz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designersGz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers/?z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/bThez52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers?z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.tiro.comz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://upx.sf.netAmcache.hve.4.drfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designersz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.goodfont.co.krz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.carterandcone.comlz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sajatypeworks.comz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.typography.netDz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers/cabarga.htmlNz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/cThez52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.galapagosdesign.com/staff/dennis.htmz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cnz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers/frere-user.htmlz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.jiyu-kobo.co.jp/z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.galapagosdesign.com/DPleasez52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers8z52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fonts.comz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sandoll.co.krz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.urwpp.deDPleasez52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.zhongyicts.com.cnz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sakkal.comz52PaymentSlip.exe, 00000000.00000002.1804501270.0000000006C92000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1528613
Start date and time:2024-10-08 04:31:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 58s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:z52PaymentSlip.exe
Detection:MAL
Classification:mal64.evad.winEXE@2/5@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 41
  • Number of non-executed functions: 3
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.42.65.92
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
22:31:58API Interceptor1x Sleep call for process: z52PaymentSlip.exe modified
22:32:12API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_z52PaymentSlip.e_81b304cbfbfc784529105c3cf58a7151c27630_2cbdbcef_43d185f2-cf9b-406c-8b79-ea305d7fae60\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):1.1804206372134172
Encrypted:false
SSDEEP:192:ChRNZZhRkd0BU/6aeOJo1ZrtmYzuiFQZ24IO8aS:KNZZhueBU/6aZdYzuiFQY4IO8aS
MD5:28C5480ACFC7456CC1F16B7ACEB28B9E
SHA1:0E825BD7AA0FED7F4CA242A24CD927DE547A410C
SHA-256:F8BB705C9A74DF035ACBE4E418F5D3B0559B9877CE641E2AD9AEB0F26D7188B0
SHA-512:9B6202C5AD3C5D34AF8E9D44C500CAE38B40EFEF667DF63BC88575BC452A894D270B7F4C4F03F75D09ECFDE33FC913BB99747CA0B04E6EF0F8D1C931EFE38A81
Malicious:false
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.2.8.3.1.9.8.5.5.1.2.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.2.8.3.2.0.4.1.7.6.2.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.d.1.8.5.f.2.-.c.f.9.b.-.4.0.6.c.-.8.b.7.9.-.e.a.3.0.5.d.7.f.a.e.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.d.d.7.4.8.2.-.2.1.f.c.-.4.8.a.9.-.a.e.5.b.-.a.3.e.3.9.1.a.9.9.b.a.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.5.2.P.a.y.m.e.n.t.S.l.i.p...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.L.h.a.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.3.4.-.0.0.0.1.-.0.0.1.4.-.6.7.c.b.-.2.4.3.f.2.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.d.2.0.a.0.7.8.5.1.0.9.a.5.a.a.c.3.7.5.d.d.2.8.f.3.e.f.4.7.3.8.0.0.0.0.0.0.0.0.!.0.0.0.0.7.3.d.6.9.c.f.e.7.5.a.7.1.5.d.b.f.f.9.b.8.2.1.f.e.5.0.b.d.8.2.0.c.1.e.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EE2.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Tue Oct 8 02:32:00 2024, 0x1205a4 type
Category:dropped
Size (bytes):302673
Entropy (8bit):4.204038158234258
Encrypted:false
SSDEEP:3072:gLOaCk0mc4uEqqyqLTgL3C5Jpded3bC/fnzKV:gLbCvmc4ryITgTC5s9bE
MD5:04A36A4D842A06B932C4D47B5F3F22C1
SHA1:9C7769EB9E2BB5D19586AC334C558240C2378F5F
SHA-256:42E628C2DF29D3D512003FCE48459A3F88A7319A711AF7B8536CC02E0A5833A9
SHA-512:6A2C03EF7C52A176EAC178F6B264A653437A59004ABD3B4F261B4BDB5AFA2F4E6B280F7F6A3EF13B5D7489E3590650499C78C9BF61F1A2BA894F1E3489592319
Malicious:false
Reputation:low
Preview:MDMP..a..... ..........g............................(.......$....&......T....S..........`.......8...........T............9..qd...........&...........(..............................................................................eJ......\)......GenuineIntel............T.......4......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER204B.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8446
Entropy (8bit):3.703932725722764
Encrypted:false
SSDEEP:192:R6l7wVeJI46kng36Y9BSU9P4QGgmfZPY+pri89bUQ3sfE8m:R6lXJ3676YbSU9P2gmfBY4UQ8fm
MD5:65F49AE1004AB07906F8824FA1C24935
SHA1:2A5122FFABA57015E5E743241C43534902AB1D76
SHA-256:451FF9489618623AF3700A721099CB60358765F8D7EDC6564B9A376481143B05
SHA-512:FFA5E0064915758DFD2DBD549DD0AA34EB35631605781197659E3C23BB021059240707DFC76825E3B4ABEB6655348C65C2B5367C2422999CAA03453C98C03EE1
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER206B.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4785
Entropy (8bit):4.517368427863469
Encrypted:false
SSDEEP:48:cvIwWl8zs8Jg77aI9ATWpW8VY3Ym8M4Jv2FQvpn+q8v4Jdpnl7tcd:uIjf6I7mi7VDJXvlKYnl7tcd
MD5:3F08B824745E69A7EDE000551AF2CAA4
SHA1:9F46EFAAFA283C990CCAC194E3ADC72C5EF4215F
SHA-256:9535841FA3C0C18DB61FE4D718A866FAE1AEA3A1FCD10B4130F7EA448E0C3768
SHA-512:3AF0B7551B6050E12B3DA66F8DDEB72B987EF8F1CAA544E6A934230FB2EFC046135E3D5784188390886D58E174626FACC6CD50569DF865FE97245AC11CE682DE
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533854" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.465694400220846
Encrypted:false
SSDEEP:6144:vIXfpi67eLPU9skLmb0b4NWSPKaJG8nAgejZMMhA2gX4WABl0uN/dwBCswSbb:AXD94NWlLZMM6YFHR+b
MD5:46ADEAEB3DA8A83F03C4D69F62362414
SHA1:2F8667503CEACDD9CA0E69A51EF62440416E9F28
SHA-256:D085F5B2FB87E99E44662BAF1639F083F2CE7E574A999E9264969EF8FF8D4ECA
SHA-512:C9F5DF3EFB4E9D53DB7E2946275E800E8716669CFF34C5B3580836377498F7541A11E09B514CACEC0CE2E03F9594C17AAB9E3658FF8C73BA99F28FE086E6D963
Malicious:false
Reputation:low
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV.)@*................................................................................................................................................................................................................................................................................................................................................#>t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):7.719850388732583
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
  • Win32 Executable (generic) a (10002005/4) 49.78%
  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
  • Generic Win/DOS Executable (2004/3) 0.01%
  • DOS Executable Generic (2002/1) 0.01%
File name:z52PaymentSlip.exe
File size:591'872 bytes
MD5:e6e226e5d3b722773e0269b3b80d3a57
SHA1:73d69cfe75a715dbff9b821fe50bd820c1ecbd0a
SHA256:74a2d7feba54ab5bc3788d420fc90cc0905f6721137fb07c071ec0d758b6b90d
SHA512:86bbf87f68706915c27497c6fc15c178a3d2f2b58be24e0dc10f9f00f5fd0075da270977269ae5182b17234db701ab7eaabe5addb3e3a11576fa52fff1a2967c
SSDEEP:12288:7G5mU+8y3DOgLnwxxF5E8gnTlgHaDxO8x8INPCLbP:ixyBDSxFFgnJgHaVO8IP
TLSH:DDC4F111F6C94565E8B824FB543578CC13A2AA4DDCABF6B96BBCB54CCD332C1EE04641
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6...............0.................. ... ....@.. .......................`............@................................

File Icon

Icon Hash:d3d0deeae2f2c6c2

Static PE Info

General

Entrypoint:0x481292
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0xE536B0FB [Sat Nov 10 20:58:35 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x8123f0x4f.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x10ec4.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x7e97c0x70.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x7f2980x7f40091fa7660149c18961886bbf9c06ed106False0.9528525601669942data7.943594441024244IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x820000x10ec40x11000563e7253e32c9831bf01116257927085False0.07704790900735294data3.806857517201534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x940000xc0x200dd62eb747c68db6e3f493548fdc6beaaFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x821300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m0.06794924878741275
RT_GROUP_ICON0x929580x14data1.0
RT_VERSION0x9296c0x36cdata0.4041095890410959
RT_MANIFEST0x92cd80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
mscoree.dll_CorExeMain

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:22:31:57
Start date:07/10/2024
Path:C:\Users\user\Desktop\z52PaymentSlip.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\z52PaymentSlip.exe"
Imagebase:0x730000
File size:591'872 bytes
MD5 hash:E6E226E5D3B722773E0269B3B80D3A57
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:4
Start time:22:31:59
Start date:07/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 1472
Imagebase:0x660000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:10.8%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:1
    execution_graph 22772 4f4cfe0 22773 4f4d026 22772->22773 22777 4f4d5c8 22773->22777 22780 4f4d5b9 22773->22780 22774 4f4d113 22783 4f4d21c 22777->22783 22781 4f4d5f6 22780->22781 22782 4f4d21c DuplicateHandle 22780->22782 22781->22774 22782->22781 22784 4f4d630 DuplicateHandle 22783->22784 22785 4f4d5f6 22784->22785 22785->22774 22786 4f4ac50 22790 4f4ad48 22786->22790 22795 4f4ad38 22786->22795 22787 4f4ac5f 22791 4f4ad7c 22790->22791 22792 4f4ad59 22790->22792 22791->22787 22792->22791 22793 4f4af80 GetModuleHandleW 22792->22793 22794 4f4afad 22793->22794 22794->22787 22796 4f4ad59 22795->22796 22797 4f4ad7c 22795->22797 22796->22797 22798 4f4af80 GetModuleHandleW 22796->22798 22797->22787 22799 4f4afad 22798->22799 22799->22787 22800 4f44668 22801 4f4467a 22800->22801 22802 4f44686 22801->22802 22804 4f44778 22801->22804 22805 4f4479d 22804->22805 22809 4f44888 22805->22809 22813 4f44879 22805->22813 22811 4f448af 22809->22811 22810 4f4498c 22810->22810 22811->22810 22817 4f444c4 22811->22817 22815 4f448af 22813->22815 22814 4f4498c 22814->22814 22815->22814 22816 4f444c4 CreateActCtxA 22815->22816 22816->22814 22818 4f45918 CreateActCtxA 22817->22818 22820 4f459db 22818->22820

    Executed Functions

    Function 07382900 Relevance: 6.1, Strings: 4, Instructions: 1099COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: (o^q$4'^q$4'^q$4'^q
    • API String ID: 0-183542557
    • Opcode ID: 6ec78d6915ae666263d39110a4ec162e52ac59a3755feb5fbfbfc06af5bd89c9
    • Instruction ID: 3afb007a64c915c44238e28728b9e6115caecf171aec53f11b050754c89e049d
    • Opcode Fuzzy Hash: 6ec78d6915ae666263d39110a4ec162e52ac59a3755feb5fbfbfc06af5bd89c9
    • Instruction Fuzzy Hash: 24A29FF160020ACFDB55DF68C884AAEBBB6FF88710F158559E409DB361DB34E981CB51
    Function 07380040 Relevance: 5.3, Strings: 4, Instructions: 329COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1376 7380040-7380063 1377 738006e-738008e 1376->1377 1378 7380065-738006b 1376->1378 1381 7380090 1377->1381 1382 7380095-738009c 1377->1382 1378->1377 1383 7380424-738042d 1381->1383 1384 738009e-73800a9 1382->1384 1385 73800af-73800c2 1384->1385 1386 7380435-7380443 1384->1386 1389 73800d8-73800f3 1385->1389 1390 73800c4-73800d2 1385->1390 1394 73800f5-73800fb 1389->1394 1395 7380117-738011a 1389->1395 1390->1389 1393 73803ac-73803b3 1390->1393 1393->1383 1398 73803b5-73803b7 1393->1398 1396 73800fd 1394->1396 1397 7380104-7380107 1394->1397 1399 7380120-7380123 1395->1399 1400 7380274-738027a 1395->1400 1396->1397 1396->1400 1401 738013a-7380140 1396->1401 1402 7380366-7380369 1396->1402 1397->1401 1403 7380109-738010c 1397->1403 1404 73803b9-73803be 1398->1404 1405 73803c6-73803cc 1398->1405 1399->1400 1407 7380129-738012f 1399->1407 1400->1402 1406 7380280-7380285 1400->1406 1408 7380142-7380144 1401->1408 1409 7380146-7380148 1401->1409 1410 738036f-7380375 1402->1410 1411 7380430 1402->1411 1412 7380112 1403->1412 1413 73801a6-73801ac 1403->1413 1404->1405 1405->1386 1414 73803ce-73803d3 1405->1414 1406->1402 1407->1400 1415 7380135 1407->1415 1417 7380152-738015b 1408->1417 1409->1417 1418 738039a-738039e 1410->1418 1419 7380377-738037f 1410->1419 1411->1386 1412->1402 1413->1402 1416 73801b2-73801b8 1413->1416 1420 7380418-738041b 1414->1420 1421 73803d5-73803da 1414->1421 1415->1402 1422 73801ba-73801bc 1416->1422 1423 73801be-73801c0 1416->1423 1425 738015d-7380168 1417->1425 1426 738016e-7380196 1417->1426 1418->1393 1427 73803a0-73803a6 1418->1427 1419->1386 1424 7380385-7380394 1419->1424 1420->1411 1428 738041d-7380422 1420->1428 1421->1411 1429 73803dc 1421->1429 1431 73801ca-73801e1 1422->1431 1423->1431 1424->1389 1424->1418 1425->1402 1425->1426 1449 738028a-73802c0 1426->1449 1450 738019c-73801a1 1426->1450 1427->1384 1427->1393 1428->1383 1428->1398 1430 73803e3-73803e8 1429->1430 1432 738040a-738040c 1430->1432 1433 73803ea-73803ec 1430->1433 1442 738020c-7380233 1431->1442 1443 73801e3-73801fc 1431->1443 1432->1411 1440 738040e-7380411 1432->1440 1437 73803fb-7380401 1433->1437 1438 73803ee-73803f3 1433->1438 1437->1386 1441 7380403-7380408 1437->1441 1438->1437 1440->1420 1441->1432 1445 73803de-73803e1 1441->1445 1442->1411 1454 7380239-738023c 1442->1454 1443->1449 1455 7380202-7380207 1443->1455 1445->1411 1445->1430 1456 73802cd-73802d5 1449->1456 1457 73802c2-73802c6 1449->1457 1450->1449 1454->1411 1458 7380242-738026b 1454->1458 1455->1449 1456->1411 1461 73802db-73802e0 1456->1461 1459 73802c8-73802cb 1457->1459 1460 73802e5-73802e9 1457->1460 1458->1449 1473 738026d-7380272 1458->1473 1459->1456 1459->1460 1462 7380308-738030c 1460->1462 1463 73802eb-73802f1 1460->1463 1461->1402 1466 738030e-7380314 1462->1466 1467 7380316-7380332 1462->1467 1463->1462 1465 73802f3-73802fb 1463->1465 1465->1411 1468 7380301-7380306 1465->1468 1466->1467 1470 738033b-738033f 1466->1470 1474 7380335 call 7380528 1467->1474 1475 7380335 call 7380518 1467->1475 1468->1402 1470->1402 1471 7380341-738035d 1470->1471 1471->1402 1473->1449 1474->1470 1475->1470
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: (o^q$(o^q$,bq$,bq
    • API String ID: 0-879173519
    • Opcode ID: e526efc5e6f17bf1c04eb49306a689531c677e239b37b47662f083ac67310814
    • Instruction ID: 688174ed7bbb0d8d3791ebe1bc19812f9fe32257ba04a90eaa9e975377a43d2c
    • Opcode Fuzzy Hash: e526efc5e6f17bf1c04eb49306a689531c677e239b37b47662f083ac67310814
    • Instruction Fuzzy Hash: E9D190B0A10219CFEB98DFA8C984A9DBBF6FF88300F558165E419AB260D770ED45CF50
    Function 07386F9C Relevance: 22.9, Strings: 18, Instructions: 370COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 294 7386f9c-7386ff3 call 738589c 305 7386ff8-7386ffb 294->305 306 7386ffd 305->306 307 7387004-7387013 305->307 306->307 308 73871f9-738720c 306->308 309 738701a-738701e 306->309 310 738733c-7387344 306->310 311 738706f-73870bc 306->311 312 7387121-738712e 306->312 313 7387102-7387111 306->313 314 7387385-7387389 306->314 315 7387016-7387018 306->315 316 7387136 306->316 317 73870d7-73870ea 306->317 307->315 338 738720e-7387217 308->338 339 738722f 308->339 322 7387020-7387029 309->322 323 7387041 309->323 409 73870be-73870c5 311->409 410 73870d0-73870d5 311->410 312->316 344 738711a-738711f 313->344 345 7387113 313->345 319 738738b-7387394 314->319 320 73873ac 314->320 315->305 327 738713e-7387141 316->327 318 73870f1 317->318 328 73870f6-73870f9 318->328 330 738739b-73873a8 319->330 331 7387396-7387399 319->331 335 73873af-73873b6 320->335 333 738702b-738702e 322->333 334 7387030-738703d 322->334 326 7387044-7387067 323->326 326->311 340 7387153-7387162 327->340 341 7387143 327->341 328->313 342 73870fb 328->342 343 73873aa 330->343 331->343 346 738703f 333->346 334->346 336 73873b8-73873ca 335->336 337 73873cc 335->337 349 73873cf-73873dc 336->349 337->349 350 7387219-738721c 338->350 351 738721e-738722b 338->351 353 7387232-7387236 339->353 374 738717a-7387197 340->374 375 7387164-738716a 340->375 341->308 341->310 341->314 341->340 354 7387278-73872a7 341->354 355 7387349-738735c 341->355 356 738737b-7387380 341->356 357 73872ac-73872bf 341->357 358 738747d-7387486 341->358 359 7387401-7387405 341->359 360 7387335-7387337 341->360 361 7387466-738747a 341->361 342->308 342->310 342->312 342->313 342->314 342->316 342->340 342->354 342->355 342->356 342->357 342->358 342->359 342->360 342->361 343->335 347 7387118 344->347 345->347 346->326 347->328 385 73873de-73873e4 349->385 386 73873f4-73873fc 349->386 364 738722d 350->364 351->364 365 7387238-7387241 353->365 366 7387257 353->366 354->327 391 7387368-738736f 355->391 392 738735e 355->392 393 7387489-738749a 357->393 394 73872c5-73872cd 357->394 368 7387428 359->368 369 7387407-7387410 359->369 364->353 372 7387248-738724b 365->372 373 7387243-7387246 365->373 379 738725a-7387273 366->379 381 738742b-7387446 368->381 376 7387412-7387415 369->376 377 7387417-7387424 369->377 387 7387255 372->387 373->387 411 7387199-73871a2 374->411 412 73871ba 374->412 388 738716c 375->388 389 738716e-7387170 375->389 390 7387426 376->390 377->390 427 7387448-738744f 381->427 428 738745f-7387464 381->428 395 73873e8-73873ea 385->395 396 73873e6 385->396 387->379 388->374 389->374 390->381 391->393 403 7387375-7387379 391->403 401 7387363 392->401 405 73872cf-73872d8 394->405 406 73872f0 394->406 395->386 396->386 403->401 413 73872da-73872dd 405->413 414 73872df-73872ec 405->414 408 73872f3-73872f5 406->408 415 7387307 408->415 416 73872f7-7387305 408->416 417 73870ec 409->417 418 73870c7 409->418 421 73870cb 410->421 419 73871a9-73871b6 411->419 420 73871a4-73871a7 411->420 423 73871bd-73871e6 call 7387f66 412->423 424 73872ee 413->424 414->424 425 7387309-738730b 415->425 416->425 417->318 418->421 426 73871b8 419->426 420->426 421->305 438 73871ec-73871f4 423->438 424->408 430 738730d-7387313 425->430 431 7387325-738732e 425->431 426->423 427->393 433 7387451-7387455 427->433 434 738745a 428->434 436 7387315 430->436 437 7387317-7387323 430->437 431->360 433->434 434->327 436->431 437->431 438->327
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: fcq$ fcq$ fcq$ fcq$Te^q$Te^q$XX^q$XX^q$XX^q$XX^q$XX^q$XX^q$$^q$$^q$$^q$$^q$$^q$$^q
    • API String ID: 0-4184121725
    • Opcode ID: 2c4856b05a6446d95ea84efa46059f01abf91dc8600aa340db5570b534cd0816
    • Instruction ID: 60734512a4c80538123483e2f2e64aa914600e787cf7f9c5ecba3813c8a72d49
    • Opcode Fuzzy Hash: 2c4856b05a6446d95ea84efa46059f01abf91dc8600aa340db5570b534cd0816
    • Instruction Fuzzy Hash: 1ED1A1B0F14319CFEB58AAE8C84466DBBB7BB85700F344415E406AF798CB759C46CB91
    Function 07386CDF Relevance: 21.8, Strings: 17, Instructions: 505COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: fcq$ fcq$ fcq$ fcq$ fcq$ fcq$ fcq$Te^q$XX^q$XX^q$XX^q$XX^q$XX^q$$^q$$^q$$^q$$^q
    • API String ID: 0-1707326010
    • Opcode ID: 08966b804edfc602c35e66cb0f6c20f88046e58ed15aa8ae8eae0db16621bd06
    • Instruction ID: 24f581cebe70387138453e9296bebb6cb9774e7c2e71333292f97165774025d5
    • Opcode Fuzzy Hash: 08966b804edfc602c35e66cb0f6c20f88046e58ed15aa8ae8eae0db16621bd06
    • Instruction Fuzzy Hash: A812B1F0A10318CFFB54AF98C945BADB7B7BB85300F248426E40AAF695CB749C45CB91
    Function 07380528 Relevance: 10.7, Strings: 8, Instructions: 734COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
    • API String ID: 0-1932283790
    • Opcode ID: 62154fb2cd4f6973c8bdc933a8d945144b872c5d9362ccd0c352cc5a9441f073
    • Instruction ID: 5e55cf405dd38294da5f75cf405bef82d7a0d06209b07abb2ae27b9feb31eb47
    • Opcode Fuzzy Hash: 62154fb2cd4f6973c8bdc933a8d945144b872c5d9362ccd0c352cc5a9441f073
    • Instruction Fuzzy Hash: 9D525CB16002058FEB59EF68C584AAEBBF5EF49314F148169E819DB361DB30ED49CB50
    Function 07387139 Relevance: 10.2, Strings: 8, Instructions: 197COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 911 7387139 912 738713e-7387141 911->912 913 7387153-7387162 912->913 914 7387143 912->914 938 738717a-7387197 913->938 939 7387164-738716a 913->939 914->913 915 7387278-73872a7 914->915 916 73871f9-738720c 914->916 917 7387349-738735c 914->917 918 738737b-7387380 914->918 919 738733c-7387344 914->919 920 73872ac-73872bf 914->920 921 738747d-7387486 914->921 922 7387401-7387405 914->922 923 7387385-7387389 914->923 924 7387335-7387337 914->924 925 7387466-738747a 914->925 915->912 946 738720e-7387217 916->946 947 738722f 916->947 951 7387368-738736f 917->951 952 738735e 917->952 953 7387489-738749a 920->953 954 73872c5-73872cd 920->954 929 7387428 922->929 930 7387407-7387410 922->930 926 738738b-7387394 923->926 927 73873ac 923->927 936 738739b-73873a8 926->936 937 7387396-7387399 926->937 943 73873af-73873b6 927->943 933 738742b-7387446 929->933 940 7387412-7387415 930->940 941 7387417-7387424 930->941 995 7387448-738744f 933->995 996 738745f-7387464 933->996 955 73873aa 936->955 937->955 974 7387199-73871a2 938->974 975 73871ba 938->975 948 738716c 939->948 949 738716e-7387170 939->949 950 7387426 940->950 941->950 944 73873b8-73873ca 943->944 945 73873cc 943->945 956 73873cf-73873dc 944->956 945->956 957 7387219-738721c 946->957 958 738721e-738722b 946->958 959 7387232-7387236 947->959 948->938 949->938 950->933 951->953 964 7387375-7387379 951->964 962 7387363 952->962 966 73872cf-73872d8 954->966 967 73872f0 954->967 955->943 991 73873de-73873e4 956->991 992 73873f4-73873fc 956->992 971 738722d 957->971 958->971 972 7387238-7387241 959->972 973 7387257 959->973 964->962 976 73872da-73872dd 966->976 977 73872df-73872ec 966->977 970 73872f3-73872f5 967->970 978 7387307 970->978 979 73872f7-7387305 970->979 971->959 982 7387248-738724b 972->982 983 7387243-7387246 972->983 984 738725a-7387273 973->984 985 73871a9-73871b6 974->985 986 73871a4-73871a7 974->986 988 73871bd-73871e6 call 7387f66 975->988 989 73872ee 976->989 977->989 990 7387309-738730b 978->990 979->990 993 7387255 982->993 983->993 994 73871b8 985->994 986->994 1009 73871ec-73871f4 988->1009 989->970 998 738730d-7387313 990->998 999 7387325-738732e 990->999 1000 73873e8-73873ea 991->1000 1001 73873e6 991->1001 993->984 994->988 995->953 1004 7387451-7387455 995->1004 1005 738745a 996->1005 1007 7387315 998->1007 1008 7387317-7387323 998->1008 999->924 1000->992 1001->992 1004->1005 1005->912 1007->999 1008->999 1009->912
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: fcq$ fcq$Te^q$XX^q$$^q$$^q$$^q$$^q
    • API String ID: 0-3622600923
    • Opcode ID: f490c54c8a8aaf2b0623e55724b00e33f52f39fe55f8a1922b7477bda3b1321d
    • Instruction ID: 0ff6b9415faaf646c934577e7017c755d7ba7c79ef0570f378a6c08f2ac50d81
    • Opcode Fuzzy Hash: f490c54c8a8aaf2b0623e55724b00e33f52f39fe55f8a1922b7477bda3b1321d
    • Instruction Fuzzy Hash: CB719FF0E14319CFFBA8AAD4C444AADB7B7FB81700F348416E40AABA94C7749C45CB91
    Function 07385B50 Relevance: 7.6, Strings: 6, Instructions: 144COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1012 7385b50-7385b68 1013 7385b8a-7385baf 1012->1013 1016 7385bb1 1013->1016 1017 7385bb4-7385bbe 1013->1017 1016->1017 1018 7385bc0-7385bc5 1017->1018 1019 7385bc7-7385bca 1017->1019 1020 7385bcd-7385bdf 1018->1020 1019->1020 1022 7385b6a-7385b6d 1020->1022 1023 7385b6f 1022->1023 1024 7385b76-7385b88 1022->1024 1023->1013 1023->1024 1025 7385c0c-7385c0e 1023->1025 1026 7385bee-7385c01 1023->1026 1027 7385cef-7385cf5 1023->1027 1028 7385be1-7385be9 1023->1028 1029 7385c91-7385caa 1023->1029 1030 7385c52-7385c7e 1023->1030 1031 7385c83-7385c8c 1023->1031 1024->1022 1037 7385c2c 1025->1037 1038 7385c10-7385c16 1025->1038 1045 7385c0a 1026->1045 1032 7385cf9-7385d05 1027->1032 1033 7385cf7 1027->1033 1028->1022 1034 7385cb0-7385cc0 1029->1034 1035 7385d32-7385d37 1029->1035 1030->1022 1031->1022 1041 7385d07-7385d12 1032->1041 1033->1041 1034->1035 1044 7385cc2-7385cd3 1034->1044 1042 7385c2e-7385c4d 1037->1042 1039 7385c18-7385c1a 1038->1039 1040 7385c1c-7385c28 1038->1040 1047 7385c2a 1039->1047 1040->1047 1055 7385d2a-7385d31 1041->1055 1056 7385d14-7385d1a 1041->1056 1042->1022 1044->1035 1049 7385cd5-7385cdc 1044->1049 1045->1025 1047->1042 1053 7385ce8-7385ced 1049->1053 1054 7385cde 1049->1054 1053->1027 1057 7385ce3 1053->1057 1054->1057 1058 7385d1c 1056->1058 1059 7385d1e-7385d20 1056->1059 1057->1022 1058->1055 1059->1055
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: LR^q$LR^q$$^q$$^q$$^q$$^q
    • API String ID: 0-4154641970
    • Opcode ID: f4568a0bee49f61d6da75b75c79aa70aaeea98f40a0701dc9dc4a507028b9b6d
    • Instruction ID: d38d55dc25fa5ceea40ce86bec32f8ff877bf05454fabda57a4e68d6b5a039d6
    • Opcode Fuzzy Hash: f4568a0bee49f61d6da75b75c79aa70aaeea98f40a0701dc9dc4a507028b9b6d
    • Instruction Fuzzy Hash: 5E51F2B1B1030ACFEF54AF69C80577AB6FAFB85700F14842AE5099F381DB748855CB50
    Function 07385762 Relevance: 4.4, Strings: 3, Instructions: 614COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1476 7385762-7385763 1477 73857d0-73857e3 1476->1477 1478 7385765-73857ce 1476->1478 1483 7385850-7385893 1477->1483 1484 73857e5-738584f 1477->1484 1478->1477 1499 7385900-7385b68 1483->1499 1500 7385895-7385898 1483->1500 1484->1483 1506 7385b8a-7385baf 1499->1506 1501 738589a-738589b 1500->1501 1502 73858bc-73858c7 1500->1502 1501->1502 1502->1499 1509 7385bb1 1506->1509 1510 7385bb4-7385bbe 1506->1510 1509->1510 1511 7385bc0-7385bc5 1510->1511 1512 7385bc7-7385bca 1510->1512 1513 7385bcd-7385bdf 1511->1513 1512->1513 1515 7385b6a-7385b6d 1513->1515 1516 7385b6f 1515->1516 1517 7385b76-7385b88 1515->1517 1516->1506 1516->1517 1518 7385c0c-7385c0e 1516->1518 1519 7385bee-7385c01 1516->1519 1520 7385cef-7385cf5 1516->1520 1521 7385be1-7385be9 1516->1521 1522 7385c91-7385caa 1516->1522 1523 7385c52-7385c7e 1516->1523 1524 7385c83-7385c8c 1516->1524 1517->1515 1530 7385c2c 1518->1530 1531 7385c10-7385c16 1518->1531 1538 7385c0a 1519->1538 1525 7385cf9-7385d05 1520->1525 1526 7385cf7 1520->1526 1521->1515 1527 7385cb0-7385cc0 1522->1527 1528 7385d32-7385d37 1522->1528 1523->1515 1524->1515 1534 7385d07-7385d12 1525->1534 1526->1534 1527->1528 1537 7385cc2-7385cd3 1527->1537 1535 7385c2e-7385c4d 1530->1535 1532 7385c18-7385c1a 1531->1532 1533 7385c1c-7385c28 1531->1533 1540 7385c2a 1532->1540 1533->1540 1548 7385d2a-7385d31 1534->1548 1549 7385d14-7385d1a 1534->1549 1535->1515 1537->1528 1542 7385cd5-7385cdc 1537->1542 1538->1518 1540->1535 1546 7385ce8-7385ced 1542->1546 1547 7385cde 1542->1547 1546->1520 1550 7385ce3 1546->1550 1547->1550 1551 7385d1c 1549->1551 1552 7385d1e-7385d20 1549->1552 1550->1515 1551->1548 1552->1548
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: LR^q$$^q$$^q
    • API String ID: 0-3333519130
    • Opcode ID: 4e5a4c3238c2637a435fde9afb9ec7276ac0e7553a6e9f6834a9ee22e56081e3
    • Instruction ID: 2cfbeb4652fb3e3dd5b39e4cff70841ead779aec7855541ae70f8c01c221795f
    • Opcode Fuzzy Hash: 4e5a4c3238c2637a435fde9afb9ec7276ac0e7553a6e9f6834a9ee22e56081e3
    • Instruction Fuzzy Hash: 4991F76295E3E18FEB136B3898606EA7FB0AF53210F0941E7D0C4CF1A3D5784959C766
    Function 073858E0 Relevance: 4.2, Strings: 3, Instructions: 435COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1553 73858e0-7385b68 1556 7385b8a-7385baf 1553->1556 1559 7385bb1 1556->1559 1560 7385bb4-7385bbe 1556->1560 1559->1560 1561 7385bc0-7385bc5 1560->1561 1562 7385bc7-7385bca 1560->1562 1563 7385bcd-7385bdf 1561->1563 1562->1563 1565 7385b6a-7385b6d 1563->1565 1566 7385b6f 1565->1566 1567 7385b76-7385b88 1565->1567 1566->1556 1566->1567 1568 7385c0c-7385c0e 1566->1568 1569 7385bee-7385c01 1566->1569 1570 7385cef-7385cf5 1566->1570 1571 7385be1-7385be9 1566->1571 1572 7385c91-7385caa 1566->1572 1573 7385c52-7385c7e 1566->1573 1574 7385c83-7385c8c 1566->1574 1567->1565 1580 7385c2c 1568->1580 1581 7385c10-7385c16 1568->1581 1588 7385c0a 1569->1588 1575 7385cf9-7385d05 1570->1575 1576 7385cf7 1570->1576 1571->1565 1577 7385cb0-7385cc0 1572->1577 1578 7385d32-7385d37 1572->1578 1573->1565 1574->1565 1584 7385d07-7385d12 1575->1584 1576->1584 1577->1578 1587 7385cc2-7385cd3 1577->1587 1585 7385c2e-7385c4d 1580->1585 1582 7385c18-7385c1a 1581->1582 1583 7385c1c-7385c28 1581->1583 1590 7385c2a 1582->1590 1583->1590 1598 7385d2a-7385d31 1584->1598 1599 7385d14-7385d1a 1584->1599 1585->1565 1587->1578 1592 7385cd5-7385cdc 1587->1592 1588->1568 1590->1585 1596 7385ce8-7385ced 1592->1596 1597 7385cde 1592->1597 1596->1570 1600 7385ce3 1596->1600 1597->1600 1601 7385d1c 1599->1601 1602 7385d1e-7385d20 1599->1602 1600->1565 1601->1598 1602->1598
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: LR^q$$^q$$^q
    • API String ID: 0-3333519130
    • Opcode ID: c7a80fdf4307c41e116d080dc5d6611da7c0781ed100e9cc1d9b2784ef0afea5
    • Instruction ID: a54959c0b4d1a723c91066a07425b7acbc278a4eaf1ed0205dc8b6b389e1f177
    • Opcode Fuzzy Hash: c7a80fdf4307c41e116d080dc5d6611da7c0781ed100e9cc1d9b2784ef0afea5
    • Instruction Fuzzy Hash: 7A4135F2A1030ACBFF55AF64C845BBAB7F9FB95700F14842AE549AB281D7748855CB10
    Function 07383E58 Relevance: 2.9, Strings: 2, Instructions: 370COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1625 7383e58-7383e8c call 7380bb0 1628 7383e8e-7383e9e 1625->1628 1629 7383ea0-7383ea2 1625->1629 1630 7383ea5-7383eb0 call 7380bb0 1628->1630 1629->1630 1634 7383eb2-7383ec2 1630->1634 1635 7383ec4-7383ec6 1630->1635 1636 7383ec9-7383edd 1634->1636 1635->1636 1638 73840c2-73840cb 1636->1638 1639 7383ee3 1636->1639 1641 738428e-7384294 1638->1641 1642 73840d1-7384100 1638->1642 1640 7383ee6-7383eec 1639->1640 1645 73842f2-73842f7 1640->1645 1646 7383ef2-7383f03 call 7383728 1640->1646 1643 738429a-73842a0 1641->1643 1644 7384296-7384298 1641->1644 1659 7384106-7384108 1642->1659 1660 73842b7-73842eb 1642->1660 1649 73842a2-73842a4 1643->1649 1650 73842a6 1643->1650 1648 73842a8-73842af 1644->1648 1655 7384058-738405e 1646->1655 1656 7383f09 1646->1656 1649->1648 1650->1648 1657 7384068-738406e 1655->1657 1658 7384060-7384066 1655->1658 1661 7384138-7384141 1656->1661 1662 7383f8a-7383f93 1656->1662 1663 738400c-7384015 1656->1663 1664 7383f10-7383f19 1656->1664 1665 7384213-738421c 1656->1665 1666 73841a7-73841b0 1656->1666 1670 738407f-7384085 1657->1670 1671 7384070-7384076 1657->1671 1658->1657 1668 7384078-738407a 1658->1668 1659->1660 1672 738410e-7384114 1659->1672 1660->1645 1661->1645 1674 7384147-7384154 1661->1674 1662->1645 1669 7383f99-7383fae 1662->1669 1663->1645 1676 738401b-7384033 1663->1676 1664->1645 1675 7383f1f-7383f2c 1664->1675 1665->1645 1673 7384222-7384237 1665->1673 1666->1645 1667 73841b6-73841c3 1666->1667 1667->1645 1677 73841c9-73841d9 1667->1677 1668->1648 1669->1645 1698 7383fb4-7383fc8 1669->1698 1679 7384096-738409c 1670->1679 1680 7384087-738408d 1670->1680 1671->1668 1671->1670 1672->1645 1678 738411a-738412b call 7383728 1672->1678 1673->1645 1681 738423d-7384254 call 7380bf8 1673->1681 1674->1645 1682 738415a-738416a 1674->1682 1675->1645 1684 7383f32-7383f49 1675->1684 1676->1645 1685 7384039-7384053 call 7380bf8 1676->1685 1677->1645 1686 73841df-73841f0 1677->1686 1701 7384259-738425f 1678->1701 1707 7384131 1678->1707 1691 73840ad-73840b0 1679->1691 1692 738409e-73840a4 1679->1692 1689 73842b2 1680->1689 1690 7384093 1680->1690 1681->1701 1682->1645 1694 7384170-7384181 1682->1694 1684->1645 1695 7383f4f-7383f61 1684->1695 1685->1655 1686->1645 1697 73841f6-7384211 1686->1697 1689->1660 1690->1679 1691->1689 1702 73840b6-73840bc 1691->1702 1692->1689 1700 73840aa 1692->1700 1694->1645 1703 7384187-73841a2 1694->1703 1695->1645 1705 7383f67-7383f85 1695->1705 1697->1701 1698->1645 1706 7383fce-7383fe3 1698->1706 1700->1691 1708 7384269-738426f 1701->1708 1709 7384261-7384267 1701->1709 1702->1638 1702->1640 1703->1701 1705->1655 1706->1645 1720 7383fe9-738400a 1706->1720 1707->1661 1707->1665 1707->1666 1714 738427d-7384280 1708->1714 1715 7384271-7384277 1708->1715 1709->1708 1713 7384279-738427b 1709->1713 1713->1648 1714->1689 1717 7384282-7384288 1714->1717 1715->1713 1715->1714 1717->1641 1717->1642 1720->1655
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: (o^q$(o^q
    • API String ID: 0-1946778100
    • Opcode ID: c8af07a476f69f8b068a9c5972d49bb3dbe4ad8a4a58a329a032b2c659e7c85d
    • Instruction ID: e604e43810ee50337171092e64ba100d89def48f052adc79985fc32bbd43133c
    • Opcode Fuzzy Hash: c8af07a476f69f8b068a9c5972d49bb3dbe4ad8a4a58a329a032b2c659e7c85d
    • Instruction Fuzzy Hash: AEF14AB0A0425A9FDB51DF94C580DAEBBFAFF89300F55C515E919A76A4C730F881CBA0
    Function 07381A18 Relevance: 2.6, Strings: 2, Instructions: 73COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1723 7381a18-7381a4f 1728 7381a51-7381a5b 1723->1728 1729 7381ac6-7381ad2 1723->1729 1728->1729 1734 7381a5d-7381ab4 1728->1734 1732 7381ae9-7381af5 1729->1732 1733 7381ad4-7381ae0 1729->1733 1739 7381b0c-7381b10 call 7381bb8 1732->1739 1740 7381af7-7381b03 1732->1740 1733->1732 1738 7381ae2-7381ae7 1733->1738 1734->1729 1745 7381b1c-7381b7e 1734->1745 1742 7381b16-7381b1b 1738->1742 1739->1742 1740->1739 1746 7381b05-7381b0a 1740->1746 1746->1742
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: $^q$$^q
    • API String ID: 0-355816377
    • Opcode ID: 5f829462f91382f54bfb99c3c47e8c956ae9b39d261e2edda9e00357e1603f92
    • Instruction ID: 00b6e7e2a198b02b04b644d047850f385669c040139e6ca37c8dd0810db8a0f8
    • Opcode Fuzzy Hash: 5f829462f91382f54bfb99c3c47e8c956ae9b39d261e2edda9e00357e1603f92
    • Instruction Fuzzy Hash: 8F11A5F074431A4FEB6AABA9989053E3B6AAB85650714085ED05ACB351EF38CC838352
    Function 07381BB8 Relevance: 2.5, Strings: 2, Instructions: 26COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1750 7381bb8-7381bc5 1751 7381bd1-7381bdd 1750->1751 1752 7381bc7-7381bcc 1750->1752 1754 7381bed-7381bf2 1751->1754 1755 7381bdf-7381be1 1751->1755 1756 7381be9-7381beb 1755->1756 1756->1754 1757 7381bf7-7381c01 1756->1757
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: 4'^q$4'^q
    • API String ID: 0-2697143702
    • Opcode ID: 9244861eacd57557f2b2001c7fff06f44e093a0f248ad28f2be62fbca5ed1f3e
    • Instruction ID: cd633665df761aadb069aefa7a9b99c749bf38da027f9d886bf73e0473103d45
    • Opcode Fuzzy Hash: 9244861eacd57557f2b2001c7fff06f44e093a0f248ad28f2be62fbca5ed1f3e
    • Instruction Fuzzy Hash: B3E086F079521E17E67D216A491466E784ED7C5B50F14055DB41EC7344FE64CCC34262
    Function 04F4AD48 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1759 4f4ad48-4f4ad57 1760 4f4ad83-4f4ad87 1759->1760 1761 4f4ad59-4f4ad66 call 4f4a06c 1759->1761 1763 4f4ad89-4f4ad93 1760->1763 1764 4f4ad9b-4f4addc 1760->1764 1768 4f4ad7c 1761->1768 1769 4f4ad68 1761->1769 1763->1764 1770 4f4adde-4f4ade6 1764->1770 1771 4f4ade9-4f4adf7 1764->1771 1768->1760 1814 4f4ad6e call 4f4afe0 1769->1814 1815 4f4ad6e call 4f4afd0 1769->1815 1770->1771 1772 4f4adf9-4f4adfe 1771->1772 1773 4f4ae1b-4f4ae1d 1771->1773 1775 4f4ae00-4f4ae07 call 4f4a078 1772->1775 1776 4f4ae09 1772->1776 1778 4f4ae20-4f4ae27 1773->1778 1774 4f4ad74-4f4ad76 1774->1768 1777 4f4aeb8-4f4af78 1774->1777 1780 4f4ae0b-4f4ae19 1775->1780 1776->1780 1809 4f4af80-4f4afab GetModuleHandleW 1777->1809 1810 4f4af7a-4f4af7d 1777->1810 1781 4f4ae34-4f4ae3b 1778->1781 1782 4f4ae29-4f4ae31 1778->1782 1780->1778 1783 4f4ae3d-4f4ae45 1781->1783 1784 4f4ae48-4f4ae51 call 4f4a088 1781->1784 1782->1781 1783->1784 1790 4f4ae53-4f4ae5b 1784->1790 1791 4f4ae5e-4f4ae63 1784->1791 1790->1791 1792 4f4ae65-4f4ae6c 1791->1792 1793 4f4ae81-4f4ae85 1791->1793 1792->1793 1795 4f4ae6e-4f4ae7e call 4f4a098 call 4f4a0a8 1792->1795 1798 4f4ae8b-4f4ae8e 1793->1798 1795->1793 1799 4f4ae90-4f4aeae 1798->1799 1800 4f4aeb1-4f4aeb7 1798->1800 1799->1800 1811 4f4afb4-4f4afc8 1809->1811 1812 4f4afad-4f4afb3 1809->1812 1810->1809 1812->1811 1814->1774 1815->1774
    APIs
    • GetModuleHandleW.KERNELBASE(00000000), ref: 04F4AF9E
    Memory Dump Source
    • Source File: 00000000.00000002.1803560094.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f40000_z52PaymentSlip.jbxd
    Similarity
    • API ID: HandleModule
    • String ID:
    • API String ID: 4139908857-0
    • Opcode ID: 87462e6a7d8aadbfd03f2e3c4f244e751b4cb9aaa465ed71731d351415e2ab20
    • Instruction ID: 060e590e1abec141e55aaa32bfc3a8a4a4ad624c60293dee99ce0c8fcdfcb217
    • Opcode Fuzzy Hash: 87462e6a7d8aadbfd03f2e3c4f244e751b4cb9aaa465ed71731d351415e2ab20
    • Instruction Fuzzy Hash: 58710270A00B058FDB24DF2AD45475ABBF1FF88304F048A2DD49A97A50DB75F94ACB91
    Function 04F4590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1816 4f4590d-4f459d9 CreateActCtxA 1818 4f459e2-4f45a3c 1816->1818 1819 4f459db-4f459e1 1816->1819 1826 4f45a3e-4f45a41 1818->1826 1827 4f45a4b-4f45a4f 1818->1827 1819->1818 1826->1827 1828 4f45a60 1827->1828 1829 4f45a51-4f45a5d 1827->1829 1831 4f45a61 1828->1831 1829->1828 1831->1831
    APIs
    • CreateActCtxA.KERNEL32(?), ref: 04F459C9
    Memory Dump Source
    • Source File: 00000000.00000002.1803560094.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f40000_z52PaymentSlip.jbxd
    Similarity
    • API ID: Create
    • String ID:
    • API String ID: 2289755597-0
    • Opcode ID: 7ca48196922547d768b7879c9ba9a67a17211635b8d2079eb97d0b30bb987225
    • Instruction ID: 8d444443da6069b772425b7bbd0fa2a28990f4c39e5e15692ce6ada8596d5617
    • Opcode Fuzzy Hash: 7ca48196922547d768b7879c9ba9a67a17211635b8d2079eb97d0b30bb987225
    • Instruction Fuzzy Hash: 0341E2B0C0161DDFDB24DFA9C8847DEBBB5BF48304F24806AD408AB255DB75698ACF91
    Function 04F444C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1832 4f444c4-4f459d9 CreateActCtxA 1835 4f459e2-4f45a3c 1832->1835 1836 4f459db-4f459e1 1832->1836 1843 4f45a3e-4f45a41 1835->1843 1844 4f45a4b-4f45a4f 1835->1844 1836->1835 1843->1844 1845 4f45a60 1844->1845 1846 4f45a51-4f45a5d 1844->1846 1848 4f45a61 1845->1848 1846->1845 1848->1848
    APIs
    • CreateActCtxA.KERNEL32(?), ref: 04F459C9
    Memory Dump Source
    • Source File: 00000000.00000002.1803560094.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f40000_z52PaymentSlip.jbxd
    Similarity
    • API ID: Create
    • String ID:
    • API String ID: 2289755597-0
    • Opcode ID: 3fd78dc898e4adc55cdedcd0e94210af13d99f3b1c43f6c0d90ac74ed03b3864
    • Instruction ID: d6a96b8c37a4e575abd77f91a94ba32b0a89dc8637fafbe3d46e32ecf98de5c1
    • Opcode Fuzzy Hash: 3fd78dc898e4adc55cdedcd0e94210af13d99f3b1c43f6c0d90ac74ed03b3864
    • Instruction Fuzzy Hash: EC41F3B0C0071DDBDB24DFAAC88479EBBB5BF48304F60806AD408AB251DB75A946CF91
    Function 04F4D21C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1849 4f4d21c-4f4d6c4 DuplicateHandle 1851 4f4d6c6-4f4d6cc 1849->1851 1852 4f4d6cd-4f4d6ea 1849->1852 1851->1852
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04F4D5F6,?,?,?,?,?), ref: 04F4D6B7
    Memory Dump Source
    • Source File: 00000000.00000002.1803560094.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f40000_z52PaymentSlip.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: eecbc3ccaf1fbbb3d20c061e687615c43fc8e70206ffddda1a4db7d9e3a55920
    • Instruction ID: b7f9413d0983d7a9f521339a410107c3abe22888d496ae9d74b08cfa7657ee36
    • Opcode Fuzzy Hash: eecbc3ccaf1fbbb3d20c061e687615c43fc8e70206ffddda1a4db7d9e3a55920
    • Instruction Fuzzy Hash: AD21E4B5900258EFDB10CF9AD584AEEBFF8EB48320F14841AE918B7311D374A944CFA5
    Function 04F4D628 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04F4D5F6,?,?,?,?,?), ref: 04F4D6B7
    Memory Dump Source
    • Source File: 00000000.00000002.1803560094.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f40000_z52PaymentSlip.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID:
    • API String ID: 3793708945-0
    • Opcode ID: f8f6ea249c7c3cc8552f8409f51fc9f1f23a05e6192fec30d78f2bb02f97cb11
    • Instruction ID: ab3f0b897512a47fad96c8c6535662f2d406c4a5d13032483c70a2ddd27446bb
    • Opcode Fuzzy Hash: f8f6ea249c7c3cc8552f8409f51fc9f1f23a05e6192fec30d78f2bb02f97cb11
    • Instruction Fuzzy Hash: A42114B5D002589FDB10CFA9D584AEEBFF4EB48310F14841AE818A3311C334A940CFA5
    Function 04F4AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNELBASE(00000000), ref: 04F4AF9E
    Memory Dump Source
    • Source File: 00000000.00000002.1803560094.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f40000_z52PaymentSlip.jbxd
    Similarity
    • API ID: HandleModule
    • String ID:
    • API String ID: 4139908857-0
    • Opcode ID: 9211acce08106e297a8e8b90ffd865e46cffac48149e463d9fd4dcdd1f58f554
    • Instruction ID: 6a3daa32b67b085507ddfc391fb71ba760d960c3f2bbba43d2a3a35bf1b48bc7
    • Opcode Fuzzy Hash: 9211acce08106e297a8e8b90ffd865e46cffac48149e463d9fd4dcdd1f58f554
    • Instruction Fuzzy Hash: 4F11EDB6C003498FDB10CF9AD444ADEFBF4EB88324F10846AD869A7610D779A545CFA5
    Function 07383C00 Relevance: .2, Instructions: 162COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 396bf2d3427b44ffeb6b73d7ca34f0dc7725ed068d658739f8f299ebc88f5c63
    • Instruction ID: 28cc5db3d8ebdfa9e41dc3121f29733bd29b021775ad4a9c4fb4635abffb51fc
    • Opcode Fuzzy Hash: 396bf2d3427b44ffeb6b73d7ca34f0dc7725ed068d658739f8f299ebc88f5c63
    • Instruction Fuzzy Hash: 8E615EB2E007499FEF55DFA5C54069DFBF2AF8A700F248619E849AB341D770A945CF40
    Function 073850E9 Relevance: .2, Instructions: 159COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e6ab8f4c40e825c20201ea960173872869c7a7afd5dadb2e6f8bb12782ef2254
    • Instruction ID: 50888befebe5a9c544fb3e961d95a119df54dd728d24b31cd3bc803e904e35fe
    • Opcode Fuzzy Hash: e6ab8f4c40e825c20201ea960173872869c7a7afd5dadb2e6f8bb12782ef2254
    • Instruction Fuzzy Hash: 57519031F042049BD704AB74D545AAEBBB2BF89300F14C4A9E8526B29ACF756D89C7D1
    Function 073850F8 Relevance: .2, Instructions: 152COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c45f9991a313cad96355b3270b42d80ff3eebedc0916630af72f280ab20aa30e
    • Instruction ID: 99e82427c20cf5b38d07f6928e28e2a23300570e82f298702479f55dc0fe0a8f
    • Opcode Fuzzy Hash: c45f9991a313cad96355b3270b42d80ff3eebedc0916630af72f280ab20aa30e
    • Instruction Fuzzy Hash: 0E51B031F042049BD704AB74D545AAEBBB2BF89300F14C4A9E8926F39ACF756D89C7D1
    Function 07383BF1 Relevance: .1, Instructions: 137COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cc0d053969b95830bd7c29885799d3f7f536ebde65296918b90724477d45fc92
    • Instruction ID: d1d41a6cb9e4768fb267b7d9e4be7a0faa6b77c9c0119a9c8b865c49b1dc4ab9
    • Opcode Fuzzy Hash: cc0d053969b95830bd7c29885799d3f7f536ebde65296918b90724477d45fc92
    • Instruction Fuzzy Hash: 62514CB2E007499FEF51DFA5C5406DDBBF2AF89700F24861AE849AB341D770A949CF10
    Function 07382DD3 Relevance: .1, Instructions: 122COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 958f4bf431c06ccadf351b8759c410a4556274f94eabddeb9ef049c9eeb44ec5
    • Instruction ID: 9288c5e94c5c5de411703959e9346e51edf97186e6f447e42c870b6803153f15
    • Opcode Fuzzy Hash: 958f4bf431c06ccadf351b8759c410a4556274f94eabddeb9ef049c9eeb44ec5
    • Instruction Fuzzy Hash: FC418DB1A00349DFEF51DFA4C844A9EBFB6FF49310F048156E819AB2A1D731E954CB94
    Function 073854A8 Relevance: .1, Instructions: 108COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 40751189ceadd81609780634b26b0824b39410f83a7c98e95abeb05f583529b1
    • Instruction ID: b7829e17c116153f1f88e3e1a71b8fc76960a460c44b2bc14d1551703a88a64d
    • Opcode Fuzzy Hash: 40751189ceadd81609780634b26b0824b39410f83a7c98e95abeb05f583529b1
    • Instruction Fuzzy Hash: 3A417FB0D15208DFDB44EFA9C69455EBBF2FF41304F28D89AD02A5B365DB348A45CB81
    Function 0738531E Relevance: .1, Instructions: 100COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 84d8b61faa3983d6610396b0c64181bee36995077aea8b02082fddb0c9e048ed
    • Instruction ID: 3e924a13ccff6b602b6810cafb5b6b557ccaf7b5251036a7aac7dee78f454e1d
    • Opcode Fuzzy Hash: 84d8b61faa3983d6610396b0c64181bee36995077aea8b02082fddb0c9e048ed
    • Instruction Fuzzy Hash: EA31F4B471C3804FE7065778D8257293FF59B8A210F1944ABE456CB2D3CEB98C45C762
    Function 07384F58 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2ae4913b5537cb85b1e251ca81d65cb0fa0398a35eb6715d5d8e9e5bb36db8b4
    • Instruction ID: edc96b39a5170b22c0bc16aaece739e74161652c03fbc3ac939994b4fe1f1b8d
    • Opcode Fuzzy Hash: 2ae4913b5537cb85b1e251ca81d65cb0fa0398a35eb6715d5d8e9e5bb36db8b4
    • Instruction Fuzzy Hash: 86312BF09103099FEB40AF68D94579E7BF5FB4A310F100869E11ADB780EB399C548BD2
    Function 07380EA0 Relevance: .1, Instructions: 87COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 31608a1308ae37bbd62f6b269b027348c9bc7cb2d177472777d7afef917df1ff
    • Instruction ID: d4e037a16bd83238ed7e87d9326de865362565d3c7a2e2b02928a1e574260c0b
    • Opcode Fuzzy Hash: 31608a1308ae37bbd62f6b269b027348c9bc7cb2d177472777d7afef917df1ff
    • Instruction Fuzzy Hash: 91217FB13053128BFB682636D4D463E7A9AAFC5A58F14C039E50ACB794EE39CC46D381
    Function 07385360 Relevance: .1, Instructions: 84COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8afe7b26e1800893abc88627ec30496f81f5c40c8cb3fdd5fa9e1b919de4a0e5
    • Instruction ID: 433a7118201a5846a034c8ef9d6926c023b046eb8408570403e8d6e85c9c4972
    • Opcode Fuzzy Hash: 8afe7b26e1800893abc88627ec30496f81f5c40c8cb3fdd5fa9e1b919de4a0e5
    • Instruction Fuzzy Hash: 972135B47183048FE7446B78D85972A3FE6AB89310F144476F41AC73D5CEB68C41C751
    Function 00FAD3D8 Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1802960818.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_fad000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 60ca550d8804fb66c120c3600914de7b5a0183cee377c312d5e24115dfb604a8
    • Instruction ID: 8f9669da02218e72b642ad3951970526a68ffcf76843c7c2fe10f7d760ebecce
    • Opcode Fuzzy Hash: 60ca550d8804fb66c120c3600914de7b5a0183cee377c312d5e24115dfb604a8
    • Instruction Fuzzy Hash: F52148B2500200DFDB04DF04C9C0B16BF65FB98324F20C169DC0A0B656C336E846E6A2
    Function 00FBD01C Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1803002998.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_fbd000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 77a9a039f37095a382ce94fd8d328ef3db88891ca1bca060393535635a2c4dcf
    • Instruction ID: 0a8be2905d40af2d89d6d64e8c6228e5c8b3cb394fdb099736115e9cdaad11f1
    • Opcode Fuzzy Hash: 77a9a039f37095a382ce94fd8d328ef3db88891ca1bca060393535635a2c4dcf
    • Instruction Fuzzy Hash: 55213775604200DFCB14EF14D9C4B56BF65FB84364F20C56DD80A4B25AD33AD847DE62
    Function 00FBD1EC Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1803002998.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_fbd000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a1e51549e8f51a462550e750b6caa09df7b29c2325494abbc98ef4f795025a9a
    • Instruction ID: 8c2fd267c94bc624e1e2b3b5f2cf3450986e0736a9c18bb051597ea5283da346
    • Opcode Fuzzy Hash: a1e51549e8f51a462550e750b6caa09df7b29c2325494abbc98ef4f795025a9a
    • Instruction Fuzzy Hash: FB213475904280DFCB04DF14C9C0B66BBA5FB94324F20C56DD8094B396D33AD846EEA2
    Function 07384EB2 Relevance: .1, Instructions: 70COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6357bc1e16205933e79251010b0d654f3decb25317ef792ff7ca77a5b24e5205
    • Instruction ID: 99c57e4f5c094a51617fa65adb3ba5c414fc9ff2c491c637f5695175205fcd65
    • Opcode Fuzzy Hash: 6357bc1e16205933e79251010b0d654f3decb25317ef792ff7ca77a5b24e5205
    • Instruction Fuzzy Hash: D721D1B5E00118DFDB40EFA8C980A9DBBF5FF44300B1045A6E00ADB361DB349E41DB80
    Function 07387F66 Relevance: .1, Instructions: 65COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f9efd1aa6b6f639c4100302b5d44b4d0e6e1fd90aec231a569837745efc3788a
    • Instruction ID: 0bf2048778a26a8b1457ca6688ce057ca5534559395ce8055dc87a2a0579d240
    • Opcode Fuzzy Hash: f9efd1aa6b6f639c4100302b5d44b4d0e6e1fd90aec231a569837745efc3788a
    • Instruction Fuzzy Hash: B821EEF0A1A309CFE7429FEAC440A7A77F6AF46300F244972E119CB542DB34C8058721
    Function 00FBD005 Relevance: .1, Instructions: 62COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1803002998.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_fbd000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9594de60b19b8dc71f29c68c7cb514585b61157ca9dcd1d9bc69e8476943bd6c
    • Instruction ID: dc2eabd9c2ae01727746e962ba507cfd2add544ad7d5bcd3491b96fa16c8bb83
    • Opcode Fuzzy Hash: 9594de60b19b8dc71f29c68c7cb514585b61157ca9dcd1d9bc69e8476943bd6c
    • Instruction Fuzzy Hash: 95218E755093808FCB02DF24D994755BF71EB46324F28C5EAD8498F6A7C33A980ADB62
    Function 00FAD3D3 Relevance: .1, Instructions: 56COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1802960818.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_fad000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
    • Instruction ID: e64b55d8729d9a48a1cc54548a800d74b87ec39a471d8e8c48c5ed1f6239a560
    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
    • Instruction Fuzzy Hash: 941126B6804240CFDB06CF00D5C4B16BF71FB98324F24C2A9DC0A0B656C33AE85ADBA1
    Function 00FBD1E7 Relevance: .1, Instructions: 53COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1803002998.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_fbd000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
    • Instruction ID: 29b5c89b4201d4afda9b7b468f3e07951f8ada6ecf1bf8062829f2b44259a13a
    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
    • Instruction Fuzzy Hash: 5611DD75904280CFDB05CF10D5C4B55BFA2FB84328F28C6AAD8094B656C33AD80ADFA2
    Function 07385698 Relevance: .0, Instructions: 43COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 02f676b05089b33cd6e8bbd2813579e686850561e7e823cdf5bc48a9b25c8184
    • Instruction ID: 23958c5a8bac30e7699f270b802e52f6356e67d3076a2595873060951faa6db9
    • Opcode Fuzzy Hash: 02f676b05089b33cd6e8bbd2813579e686850561e7e823cdf5bc48a9b25c8184
    • Instruction Fuzzy Hash: C8F0F6F26293348BE790A66C984067AB7ECF74A320F419633F55DC7681D634C89142D1
    Function 07384EC0 Relevance: .0, Instructions: 40COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2e5d8171a6cd073b8345f111de041973a7de0310c02a5c60341dd96948d78310
    • Instruction ID: a806b22383af4c39098d4e4d04e3bda254d4cf6fac1924a1c3484048e34a9916
    • Opcode Fuzzy Hash: 2e5d8171a6cd073b8345f111de041973a7de0310c02a5c60341dd96948d78310
    • Instruction Fuzzy Hash: F2010870D0020DAFDB40EFA8C9906AEBBF2FF45300F1085AAD116A7355EB345A45AB81
    Function 07386C68 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2be56995cbed515faa7c9c9056c3c791d9735b83cea6caf70e690c6167330a28
    • Instruction ID: c25aae2a34f061d89cedea52471fcb9bf474a9d352f0b1a3f43310b98e0ff9b5
    • Opcode Fuzzy Hash: 2be56995cbed515faa7c9c9056c3c791d9735b83cea6caf70e690c6167330a28
    • Instruction Fuzzy Hash: 0BE0C2F0B9030CBBFA6429615C07B22356EE7C0F42F208425F2095D1C5CD7694418B24
    Function 07386C59 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cf45a5e9d5aa8bb9e449e51b6cfe49e91d87af6bc77d0b459d9c480736af4a7a
    • Instruction ID: 347d0f203f5041fec6abdd90cd94e6e1093a958074cc01c6163840d3e9e1bad6
    • Opcode Fuzzy Hash: cf45a5e9d5aa8bb9e449e51b6cfe49e91d87af6bc77d0b459d9c480736af4a7a
    • Instruction Fuzzy Hash: 45E020F1D093889FF74111208D2A3223F25CB91601F1944EB91598F0C3D9385400C725
    Function 07382410 Relevance: .0, Instructions: 9COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 457a3dbed730ef9a837d2d5446b79025fc23655288dc24cf97d543be8b4251f4
    • Instruction ID: 40f25a99de943ddbc9b85af026d854ad1bc3da135399607c240bb0586b259dd0
    • Opcode Fuzzy Hash: 457a3dbed730ef9a837d2d5446b79025fc23655288dc24cf97d543be8b4251f4
    • Instruction Fuzzy Hash: ABB092A28C010063EA680A98CACA786230CC745394F144910EC0A94691C12CE60BD130

    Non-executed Functions

    Function 04F4D55C Relevance: .3, Instructions: 264COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1803560094.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f40000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d10c340da43bfdb5107af48bfe0e895feccdd267a7426aaed2bbbc1d3388127a
    • Instruction ID: 025ff016758368b8d36b4c170aef64a1b9fea4dd6145afd1cbc9047d8e119ee3
    • Opcode Fuzzy Hash: d10c340da43bfdb5107af48bfe0e895feccdd267a7426aaed2bbbc1d3388127a
    • Instruction Fuzzy Hash: F9A16932E002198FDF05DFA4C94449EBBB2FFC5304B15816AE80AAB265EF35E946CB50
    Function 04F4C888 Relevance: .0, Instructions: 22COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1803560094.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4f40000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0cbbaa82b6568593ce60ef6b4fa527a885255a048d28d5479d9cc9b5ca7cbd16
    • Instruction ID: 6fc91c1ca778c9368e2bef5fc2c29fad13f132f4a9a794d9e1f465b23738ffaa
    • Opcode Fuzzy Hash: 0cbbaa82b6568593ce60ef6b4fa527a885255a048d28d5479d9cc9b5ca7cbd16
    • Instruction Fuzzy Hash: A6E02BF98164804FEF11D724FDD24883B32F655304701C591D005AB797E624450F8B61
    Function 07386418 Relevance: 7.8, Strings: 6, Instructions: 276COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1805431189.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7380000_z52PaymentSlip.jbxd
    Similarity
    • API ID:
    • String ID: LR^q$LR^q$$^q$$^q$$^q$$^q
    • API String ID: 0-4154641970
    • Opcode ID: 350e28a31bea7870efe231804a6859bc934b8e6be89425f093d0bcc55bd72148
    • Instruction ID: a1edaf41ee9029ac5ebb9ae8b9389a7ac2fac5ca5da1764a47612a3f82c07034
    • Opcode Fuzzy Hash: 350e28a31bea7870efe231804a6859bc934b8e6be89425f093d0bcc55bd72148
    • Instruction Fuzzy Hash: 48C15EB0E10229CFDB54DFA9C581AADB7F2FF84300F158556E419AB656D730DC82CB91