Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Advice D 0024679526 3930.exe

Overview

General Information

Sample name:Payment Advice D 0024679526 3930.exe
Analysis ID:1562305
MD5:dcd730d80c1a49c81b02eb90b5f9c4a6
SHA1:6fd7cf911360120f2af050611ac416045ac74c1b
SHA256:fbc1981c8c4b453464e63ea2155aa74d2e6e6da1fd3268fd8b45e16c1d2bd0d2
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Payment Advice D 0024679526 3930.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe" MD5: DCD730D80C1A49C81B02EB90B5F9C4A6)
    • powershell.exe (PID: 1216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7204 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 2120 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • OyXCaSLaAXfAKx.exe (PID: 4916 cmdline: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe MD5: DCD730D80C1A49C81B02EB90B5F9C4A6)
    • schtasks.exe (PID: 7336 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • OyXCaSLaAXfAKx.exe (PID: 7384 cmdline: "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe" MD5: DCD730D80C1A49C81B02EB90B5F9C4A6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      Process Memory Space: Payment Advice D 0024679526 3930.exe PID: 7016JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: OyXCaSLaAXfAKx.exe PID: 4916JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", ParentImage: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe, ParentProcessId: 7016, ParentProcessName: Payment Advice D 0024679526 3930.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", ProcessId: 1216, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", ParentImage: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe, ParentProcessId: 7016, ParentProcessName: Payment Advice D 0024679526 3930.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", ProcessId: 1216, ProcessName: powershell.exe
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe, ParentImage: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe, ParentProcessId: 4916, ParentProcessName: OyXCaSLaAXfAKx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp", ProcessId: 7336, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", ParentImage: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe, ParentProcessId: 7016, ParentProcessName: Payment Advice D 0024679526 3930.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp", ProcessId: 2120, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", ParentImage: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe, ParentProcessId: 7016, ParentProcessName: Payment Advice D 0024679526 3930.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", ProcessId: 1216, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe", ParentImage: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe, ParentProcessId: 7016, ParentProcessName: Payment Advice D 0024679526 3930.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp", ProcessId: 2120, ProcessName: schtasks.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: Payment Advice D 0024679526 3930.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeAvira: detection malicious, Label: HEUR/AGEN.1306899
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeReversingLabs: Detection: 65%
              Multi AV Scanner detection for submitted file
              Source: Payment Advice D 0024679526 3930.exeReversingLabs: Detection: 65%
              Yara detected FormBook
              Source: Yara matchFile source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Payment Advice D 0024679526 3930.exeJoe Sandbox ML: detected
              Source: Payment Advice D 0024679526 3930.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Payment Advice D 0024679526 3930.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: wntdll.pdbUGP source: Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Payment Advice D 0024679526 3930.exe, Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1756504603.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, OyXCaSLaAXfAKx.exe, 00000009.00000002.1972391149.000000000302B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: Payment Advice D 0024679526 3930.exe
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0042C713 NtClose,8_2_0042C713
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_01622DF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_01622C70
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016235C0 NtCreateMutant,LdrInitializeThunk,8_2_016235C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01624340 NtSetContextThread,8_2_01624340
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01624650 NtSuspendThread,8_2_01624650
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622B60 NtClose,8_2_01622B60
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622BE0 NtQueryValueKey,8_2_01622BE0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622BF0 NtAllocateVirtualMemory,8_2_01622BF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622BA0 NtEnumerateValueKey,8_2_01622BA0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622B80 NtQueryInformationFile,8_2_01622B80
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622AF0 NtWriteFile,8_2_01622AF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622AD0 NtReadFile,8_2_01622AD0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622AB0 NtWaitForSingleObject,8_2_01622AB0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622D30 NtUnmapViewOfSection,8_2_01622D30
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622D00 NtSetInformationFile,8_2_01622D00
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622D10 NtMapViewOfSection,8_2_01622D10
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622DD0 NtDelayExecution,8_2_01622DD0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622DB0 NtEnumerateKey,8_2_01622DB0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622C60 NtCreateKey,8_2_01622C60
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622C00 NtQueryInformationProcess,8_2_01622C00
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622CF0 NtOpenProcess,8_2_01622CF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622CC0 NtQueryVirtualMemory,8_2_01622CC0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622CA0 NtQueryInformationToken,8_2_01622CA0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622F60 NtCreateProcessEx,8_2_01622F60
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622F30 NtCreateSection,8_2_01622F30
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622FE0 NtCreateFile,8_2_01622FE0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622FA0 NtQuerySection,8_2_01622FA0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622FB0 NtResumeThread,8_2_01622FB0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622F90 NtProtectVirtualMemory,8_2_01622F90
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622E30 NtWriteVirtualMemory,8_2_01622E30
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622EE0 NtQueueApcThread,8_2_01622EE0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622EA0 NtAdjustPrivilegesToken,8_2_01622EA0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622E80 NtReadVirtualMemory,8_2_01622E80
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01623010 NtOpenDirectoryObject,8_2_01623010
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01623090 NtSetValueKey,8_2_01623090
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016239B0 NtGetContextThread,8_2_016239B0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01623D70 NtOpenThread,8_2_01623D70
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01623D10 NtOpenProcessToken,8_2_01623D10
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_0559D51C0_2_0559D51C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_079FD0C00_2_079FD0C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_079F57E00_2_079F57E0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_079F539B0_2_079F539B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_079F53A80_2_079F53A8
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_079F73580_2_079F7358
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_079F5C180_2_079F5C18
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_079F09480_2_079F0948
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 0_2_079F78680_2_079F7868
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004030408_2_00403040
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0041694E8_2_0041694E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004169538_2_00416953
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040E1538_2_0040E153
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004101738_2_00410173
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004012108_2_00401210
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040E2978_2_0040E297
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040E2A38_2_0040E2A3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004024408_2_00402440
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040243B8_2_0040243B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0042ED238_2_0042ED23
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040FF538_2_0040FF53
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004027A08_2_004027A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016781588_2_01678158
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E01008_2_015E0100
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168A1188_2_0168A118
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A81CC8_2_016A81CC
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B01AA8_2_016B01AA
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A41A28_2_016A41A2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016820008_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AA3528_2_016AA352
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B03E68_2_016B03E6
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE3F08_2_015FE3F0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016902748_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016702C08_2_016702C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F05358_2_015F0535
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B05918_2_016B0591
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A24468_2_016A2446
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016944208_2_01694420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169E4F68_2_0169E4F6
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F07708_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016147508_2_01614750
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EC7C08_2_015EC7C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160C6E08_2_0160C6E0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016069628_2_01606962
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016BA9A68_2_016BA9A6
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A08_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F28408_2_015F2840
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FA8408_2_015FA840
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E8F08_2_0161E8F0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D68B88_2_015D68B8
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AAB408_2_016AAB40
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A6BD78_2_016A6BD7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EEA808_2_015EEA80
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FAD008_2_015FAD00
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168CD1F8_2_0168CD1F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EADE08_2_015EADE0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01608DBF8_2_01608DBF
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0C008_2_015F0C00
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E0CF28_2_015E0CF2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690CB58_2_01690CB5
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01664F408_2_01664F40
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01632F288_2_01632F28
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01610F308_2_01610F30
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01692F308_2_01692F30
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E2FC88_2_015E2FC8
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166EFA08_2_0166EFA0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0E598_2_015F0E59
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AEE268_2_016AEE26
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AEEDB8_2_016AEEDB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01602E908_2_01602E90
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016ACE938_2_016ACE93
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016BB16B8_2_016BB16B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0162516C8_2_0162516C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DF1728_2_015DF172
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FB1B08_2_015FB1B0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A70E98_2_016A70E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AF0E08_2_016AF0E0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F70C08_2_015F70C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169F0CC8_2_0169F0CC
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DD34C8_2_015DD34C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A132D8_2_016A132D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0163739A8_2_0163739A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016912ED8_2_016912ED
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160B2C08_2_0160B2C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F52A08_2_015F52A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A75718_2_016A7571
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B95C38_2_016B95C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168D5B08_2_0168D5B0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E14608_2_015E1460
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AF43F8_2_016AF43F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AF7B08_2_016AF7B0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016356308_2_01635630
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A16CC8_2_016A16CC
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F99508_2_015F9950
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160B9508_2_0160B950
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016859108_2_01685910
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165D8008_2_0165D800
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F38E08_2_015F38E0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AFB768_2_016AFB76
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01665BF08_2_01665BF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0162DBF98_2_0162DBF9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160FB808_2_0160FB80
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01663A6C8_2_01663A6C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AFA498_2_016AFA49
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A7A468_2_016A7A46
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169DAC68_2_0169DAC6
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01635AA08_2_01635AA0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168DAAC8_2_0168DAAC
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01691AA38_2_01691AA3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A7D738_2_016A7D73
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F3D408_2_015F3D40
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A1D5A8_2_016A1D5A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160FDC08_2_0160FDC0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01669C328_2_01669C32
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AFCF28_2_016AFCF2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AFF098_2_016AFF09
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015B3FD28_2_015B3FD2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015B3FD58_2_015B3FD5
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F1F928_2_015F1F92
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AFFB18_2_016AFFB1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F9EB08_2_015F9EB0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_02DCD51C9_2_02DCD51C
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_073EC3C09_2_073EC3C0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_073E57E09_2_073E57E0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_073E73589_2_073E7358
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_073E53A89_2_073E53A8
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_073E5C189_2_073E5C18
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_073E78689_2_073E7868
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0139010013_2_01390100
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013E600013_2_013E6000
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_014202C013_2_014202C0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A053513_2_013A0535
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A077013_2_013A0770
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013C475013_2_013C4750
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0139C7C013_2_0139C7C0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013BC6E013_2_013BC6E0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013B696213_2_013B6962
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A29A013_2_013A29A0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A284013_2_013A2840
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013AA84013_2_013AA840
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013868B813_2_013868B8
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013D889013_2_013D8890
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013CE8F013_2_013CE8F0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0139EA8013_2_0139EA80
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013AAD0013_2_013AAD00
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013AED7A13_2_013AED7A
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013B8DBF13_2_013B8DBF
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0139ADE013_2_0139ADE0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A8DC013_2_013A8DC0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A0C0013_2_013A0C00
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_01390CF213_2_01390CF2
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_01414F4013_2_01414F40
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013C0F3013_2_013C0F30
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013E2F2813_2_013E2F28
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0141EFA013_2_0141EFA0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_01392FC813_2_01392FC8
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A0E5913_2_013A0E59
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013B2E9013_2_013B2E90
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0138F17213_2_0138F172
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013D516C13_2_013D516C
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013AB1B013_2_013AB1B0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0138D34C13_2_0138D34C
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A33F313_2_013A33F3
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A52A013_2_013A52A0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013BD2F013_2_013BD2F0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013BB2C013_2_013BB2C0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0139146013_2_01391460
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A349713_2_013A3497
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013E74E013_2_013E74E0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013AB73013_2_013AB730
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A995013_2_013A9950
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013BB95013_2_013BB950
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A599013_2_013A5990
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0140D80013_2_0140D800
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A38E013_2_013A38E0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_01415BF013_2_01415BF0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013BFB8013_2_013BFB80
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013DDBF913_2_013DDBF9
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_01413A6C13_2_01413A6C
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A3D4013_2_013A3D40
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013BFDC013_2_013BFDC0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013B9C2013_2_013B9C20
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_01419C3213_2_01419C32
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A1F9213_2_013A1F92
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013A9EB013_2_013A9EB0
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_0042ED2313_2_0042ED23
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: String function: 0140EA12 appears 36 times
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: String function: 013E7E54 appears 96 times
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: String function: 0165EA12 appears 86 times
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: String function: 0166F290 appears 105 times
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: String function: 015DB970 appears 265 times
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: String function: 01625130 appears 58 times
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: String function: 01637E54 appears 108 times
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1758508861.00000000043F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Advice D 0024679526 3930.exe
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763496792.0000000005B30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Payment Advice D 0024679526 3930.exe
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1765407733.0000000007F00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Advice D 0024679526 3930.exe
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1749493496.000000000134E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Advice D 0024679526 3930.exe
              Source: Payment Advice D 0024679526 3930.exe, 00000000.00000000.1700118511.0000000000E04000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIipY.exe6 vs Payment Advice D 0024679526 3930.exe
              Source: Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000016DD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice D 0024679526 3930.exe
              Source: Payment Advice D 0024679526 3930.exeBinary or memory string: OriginalFilenameIipY.exe6 vs Payment Advice D 0024679526 3930.exe
              Source: Payment Advice D 0024679526 3930.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Payment Advice D 0024679526 3930.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: OyXCaSLaAXfAKx.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, STvBYiOPF3W7NGdnQE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, STvBYiOPF3W7NGdnQE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@19/15@0/0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeFile created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMutant created: \Sessions\1\BaseNamedObjects\OBzPvtZWXhAQ
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7D3C.tmpJump to behavior
              Source: Payment Advice D 0024679526 3930.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Payment Advice D 0024679526 3930.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Payment Advice D 0024679526 3930.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeFile read: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Payment Advice D 0024679526 3930.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Payment Advice D 0024679526 3930.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: wntdll.pdbUGP source: Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Payment Advice D 0024679526 3930.exe, Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.cs.Net Code: xZdFsqTGHk System.Reflection.Assembly.Load(byte[])
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.cs.Net Code: xZdFsqTGHk System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040587C push edi; iretd 8_2_0040587D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004118C9 pushfd ; iretd 8_2_004118D6
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0041713B push cs; iretd 8_2_0041714A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004032C0 push eax; ret 8_2_004032C2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040AABE push edi; retf 8_2_0040AABF
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_00414C5F push cs; retf 8_2_00414C69
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0041EDFB push ss; retf 8_2_0041EE2D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040D580 push ebx; iretd 8_2_0040D581
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040ADAA push esi; retf 8_2_0040ADAD
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_00423E23 push 0000006Dh; iretd 8_2_00423E2C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0040163A pushad ; retf 8_2_004016C1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015B225F pushad ; ret 8_2_015B27F9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015B27FA pushad ; ret 8_2_015B27F9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E09AD push ecx; mov dword ptr [esp], ecx8_2_015E09B6
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015B283D push eax; iretd 8_2_015B2858
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_02DCF2B0 push ss; iretd 9_2_02DCF2F6
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 9_2_073E8D8A push esp; iretd 9_2_073E8D91
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013DC54D pushfd ; ret 13_2_013DC54E
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013DC54F push 8B013667h; ret 13_2_013DC554
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013909AD push ecx; mov dword ptr [esp], ecx13_2_013909B6
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013DC9D7 push edi; ret 13_2_013DC9D9
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_01361FEC push eax; iretd 13_2_01361FED
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeCode function: 13_2_013E7E99 push ecx; ret 13_2_013E7EAC
              Source: Payment Advice D 0024679526 3930.exeStatic PE information: section name: .text entropy: 7.944349569066882
              Source: OyXCaSLaAXfAKx.exe.0.drStatic PE information: section name: .text entropy: 7.944349569066882
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, LilRgRlocgsJfSUIBVA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LEDxPgjg97', 'WTrxyltIj3', 'B52xuedZdo', 'FRoxwuAQ3u', 'IJlxVvdAPy', 'gFexQG7mA5', 'E4qxto6SG3'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, ihf6hpKUwMlx91rtyZ.csHigh entropy of concatenated method names: 'TMiLAQ55Pr', 'gbaLN3fa2v', 'nRmLsctZl0', 'hDHLkZj3Rm', 'UTQLmVv7T9', 'VbNLdFiGKB', 'QybLh4kTkF', 'qPyLOVlx3i', 'olxLT0ay8b', 'W3VLrrBAph'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, FsvoM4pTwQ1X19oRwJ.csHigh entropy of concatenated method names: 'Dispose', 'Pxal2cejbq', 'IYK9JBgtEQ', 'nbVx7mnvPT', 'UeklC61JUT', 'Bk4lzZ4h7t', 'ProcessDialogKey', 'D7P9oimXPJ', 'ecq9lVTQHZ', 'xbD997nuZo'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, aBUGJ09d9FpZDKVyEw.csHigh entropy of concatenated method names: 'MTrsTfTRG', 'RJHkwbBpb', 'KNFd1MTud', 'RbBhxWGcA', 'bT6T42ijs', 'Yx0rFsCF8', 'QrmfmbSYVR0IM5Temj', 'QfASx2TEyR8XbrpD0v', 'N6xo2UHIUyBjuhyWC1', 'tu1vCsxfE'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, YACNV4FWN97mrDWQek.csHigh entropy of concatenated method names: 'DFVlLTvBYi', 'OF3lHW7NGd', 'XtjlZyN3OY', 'ntwlnUilkJ', 'yjSlWm1eOh', 'doPlXcr0sy', 'O9vJvIDjdOGA1cvFCy', 'g1sTodv39ABCOHI9rD', 'kWPllpbam2', 'WnhlDc57fZ'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, TOUElNi2dJ1lYilUES.csHigh entropy of concatenated method names: 'wyjLb53cnP', 'VJwLSRShXW', 'fKBL5V1TkO', 'bc05CPMmb6', 'dRT5zyKOdQ', 'GAELoqfWVB', 'HLwLlyOWwR', 'VjgL9kbND1', 'z8dLD011lO', 'pcxLFxsb7a'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, LlkJocrZVOSjBNjSm1.csHigh entropy of concatenated method names: 'xPd6mZwyis', 'Gf06h18XIb', 'FKVSMHkmuD', 'YE9SgHwQ7q', 'F3ySjug1rs', 'T3ZScNMTjq', 'elbSikr1oW', 'WPoSeqvOYr', 'i5iSKd0qyH', 'cBpSIt5qf0'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, fgT2tgwvS0qEO8ySCQ.csHigh entropy of concatenated method names: 'BNyWIiNyY7', 'YG3Wywbbyc', 'u7sWwJksvd', 'EtNWVaxCyi', 'ndWWJWxiZM', 'kqqWMZwwOL', 'NiIWgTrZpq', 'LDjWjmCTRo', 'g0NWcLSQWM', 'U7SWiCdnVD'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, xGpQc0TtjyN3OY7twU.csHigh entropy of concatenated method names: 'zgpSkTWxGx', 'YjRSdiJ5kl', 'r90SOR2vsg', 'm5xSTmRMTy', 'oBASWw6ntW', 'RUESXxP9Qq', 'tKBSEAZl5X', 'h9hSvLYMZq', 'GyoSffiDUc', 'ICkSx3llvV'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, LOhDoPGcr0sy8ui08J.csHigh entropy of concatenated method names: 'elQ51ErY3m', 'GPx5pTltYb', 'YsY560KWqw', 'VgF5LGfWE1', 'h1M5HQswC0', 'W9y64icfoZ', 'EdP6ae8VQu', 'RNN6Rt1RjS', 'Gqu60MeE6q', 'yvR62ZrEqG'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, VncoUxRqwyxacejbqa.csHigh entropy of concatenated method names: 'oE3fWS1bn7', 'SmUfEdrAgA', 'ojsffPyQbv', 'daNf8bYDdM', 'jYQfUEkAGA', 'i4tfB3iYr9', 'Dispose', 'JEmvbyb5Jd', 'D22vpTGMSY', 'CTdvSJcRi7'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, DJEwmBlFhqMWq18ODlp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6HYfesMbL', 'PsGYxCjWbV', 'UC3Y8vJRoe', 'pE0YYYC6hR', 'pkEYUVNy1N', 'RnvY3jkhLc', 'NHnYBppQJ4'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, SBOMUsllvJRxlWuCoho.csHigh entropy of concatenated method names: 'GXXxCbHHlj', 'Nfxxz70sct', 'KjR8oIJbge', 'kFw8lJjjWi', 'pfO89oAZEM', 'GD88DUrHGh', 'G3d8FA6i0F', 'wfv81ouXLO', 'cgS8b272Xv', 'L9q8ppZQQJ'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.csHigh entropy of concatenated method names: 'zJKD14YgEb', 'GcYDb6CFSR', 'rRSDpcLYt0', 'l1gDSqTCwk', 'iPTD6B3JQS', 'bFMD5XuGig', 'YhODLclJi4', 'XGWDHY0Kvi', 'Au8DqTcEKl', 'ennDZLOYld'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, BjMU6yaiqhebqut6xN.csHigh entropy of concatenated method names: 'Ew2E0JFYEo', 'YAcECZyFIM', 'Ubjvop2lgF', 'iW5vl5ukS1', 'ijiEPeJiPO', 'LwwEy4QVR9', 'HbVEu9BmlU', 'Fs3EwZXFxy', 'yU8EVq9moq', 'qZLEQyYlfb'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, OimXPJ21cqVTQHZAbD.csHigh entropy of concatenated method names: 'v7wfGuFvx6', 'CnufJrQmR9', 'y6NfMYPoS3', 'P1hfgGF3JT', 'q4Yfjx15Ry', 'CUWfcmJeIm', 'phafiry9q4', 'tLGfexfZMq', 'DR3fKjt2dA', 'q15fIKuou0'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, dJ1DG7zThxA1XO7tHU.csHigh entropy of concatenated method names: 'rY5xd4cIlg', 'b10xOsHpw0', 'lJoxTn1HAS', 'HNmxG9xOaq', 'G9LxJMUGHv', 'RM7xgvvbBY', 'A3bxjgJIGK', 'rroxBq8VkE', 'tVDxAqC81W', 'uRRxNidDSN'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, URBpJYuUOiqnwSLstk.csHigh entropy of concatenated method names: 'AYs7O1xA6j', 'Bpi7Td8dHK', 'Nic7GHJIoZ', 'wlm7JpENsf', 's7Q7gg8ktN', 'L117juSTJT', 'MUx7iHCQMl', 'FwB7eSRPjn', 'kfo7ILUn2N', 'zQV7PZOaEV'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, STvBYiOPF3W7NGdnQE.csHigh entropy of concatenated method names: 'WOqpwoEitK', 'XJNpVdNW28', 'OtxpQf3no4', 'tMVptnFnTa', 'ju0p4WaY1J', 'X7LpaZSLth', 'lQEpRrBvCZ', 'fX2p0sE3Ri', 'hgOp2xN38s', 'EUHpCaaAoS'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, LilRgRlocgsJfSUIBVA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LEDxPgjg97', 'WTrxyltIj3', 'B52xuedZdo', 'FRoxwuAQ3u', 'IJlxVvdAPy', 'gFexQG7mA5', 'E4qxto6SG3'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, ihf6hpKUwMlx91rtyZ.csHigh entropy of concatenated method names: 'TMiLAQ55Pr', 'gbaLN3fa2v', 'nRmLsctZl0', 'hDHLkZj3Rm', 'UTQLmVv7T9', 'VbNLdFiGKB', 'QybLh4kTkF', 'qPyLOVlx3i', 'olxLT0ay8b', 'W3VLrrBAph'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, FsvoM4pTwQ1X19oRwJ.csHigh entropy of concatenated method names: 'Dispose', 'Pxal2cejbq', 'IYK9JBgtEQ', 'nbVx7mnvPT', 'UeklC61JUT', 'Bk4lzZ4h7t', 'ProcessDialogKey', 'D7P9oimXPJ', 'ecq9lVTQHZ', 'xbD997nuZo'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, aBUGJ09d9FpZDKVyEw.csHigh entropy of concatenated method names: 'MTrsTfTRG', 'RJHkwbBpb', 'KNFd1MTud', 'RbBhxWGcA', 'bT6T42ijs', 'Yx0rFsCF8', 'QrmfmbSYVR0IM5Temj', 'QfASx2TEyR8XbrpD0v', 'N6xo2UHIUyBjuhyWC1', 'tu1vCsxfE'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, YACNV4FWN97mrDWQek.csHigh entropy of concatenated method names: 'DFVlLTvBYi', 'OF3lHW7NGd', 'XtjlZyN3OY', 'ntwlnUilkJ', 'yjSlWm1eOh', 'doPlXcr0sy', 'O9vJvIDjdOGA1cvFCy', 'g1sTodv39ABCOHI9rD', 'kWPllpbam2', 'WnhlDc57fZ'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, TOUElNi2dJ1lYilUES.csHigh entropy of concatenated method names: 'wyjLb53cnP', 'VJwLSRShXW', 'fKBL5V1TkO', 'bc05CPMmb6', 'dRT5zyKOdQ', 'GAELoqfWVB', 'HLwLlyOWwR', 'VjgL9kbND1', 'z8dLD011lO', 'pcxLFxsb7a'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, LlkJocrZVOSjBNjSm1.csHigh entropy of concatenated method names: 'xPd6mZwyis', 'Gf06h18XIb', 'FKVSMHkmuD', 'YE9SgHwQ7q', 'F3ySjug1rs', 'T3ZScNMTjq', 'elbSikr1oW', 'WPoSeqvOYr', 'i5iSKd0qyH', 'cBpSIt5qf0'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, fgT2tgwvS0qEO8ySCQ.csHigh entropy of concatenated method names: 'BNyWIiNyY7', 'YG3Wywbbyc', 'u7sWwJksvd', 'EtNWVaxCyi', 'ndWWJWxiZM', 'kqqWMZwwOL', 'NiIWgTrZpq', 'LDjWjmCTRo', 'g0NWcLSQWM', 'U7SWiCdnVD'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, xGpQc0TtjyN3OY7twU.csHigh entropy of concatenated method names: 'zgpSkTWxGx', 'YjRSdiJ5kl', 'r90SOR2vsg', 'm5xSTmRMTy', 'oBASWw6ntW', 'RUESXxP9Qq', 'tKBSEAZl5X', 'h9hSvLYMZq', 'GyoSffiDUc', 'ICkSx3llvV'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, LOhDoPGcr0sy8ui08J.csHigh entropy of concatenated method names: 'elQ51ErY3m', 'GPx5pTltYb', 'YsY560KWqw', 'VgF5LGfWE1', 'h1M5HQswC0', 'W9y64icfoZ', 'EdP6ae8VQu', 'RNN6Rt1RjS', 'Gqu60MeE6q', 'yvR62ZrEqG'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, VncoUxRqwyxacejbqa.csHigh entropy of concatenated method names: 'oE3fWS1bn7', 'SmUfEdrAgA', 'ojsffPyQbv', 'daNf8bYDdM', 'jYQfUEkAGA', 'i4tfB3iYr9', 'Dispose', 'JEmvbyb5Jd', 'D22vpTGMSY', 'CTdvSJcRi7'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, DJEwmBlFhqMWq18ODlp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6HYfesMbL', 'PsGYxCjWbV', 'UC3Y8vJRoe', 'pE0YYYC6hR', 'pkEYUVNy1N', 'RnvY3jkhLc', 'NHnYBppQJ4'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, SBOMUsllvJRxlWuCoho.csHigh entropy of concatenated method names: 'GXXxCbHHlj', 'Nfxxz70sct', 'KjR8oIJbge', 'kFw8lJjjWi', 'pfO89oAZEM', 'GD88DUrHGh', 'G3d8FA6i0F', 'wfv81ouXLO', 'cgS8b272Xv', 'L9q8ppZQQJ'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.csHigh entropy of concatenated method names: 'zJKD14YgEb', 'GcYDb6CFSR', 'rRSDpcLYt0', 'l1gDSqTCwk', 'iPTD6B3JQS', 'bFMD5XuGig', 'YhODLclJi4', 'XGWDHY0Kvi', 'Au8DqTcEKl', 'ennDZLOYld'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, BjMU6yaiqhebqut6xN.csHigh entropy of concatenated method names: 'Ew2E0JFYEo', 'YAcECZyFIM', 'Ubjvop2lgF', 'iW5vl5ukS1', 'ijiEPeJiPO', 'LwwEy4QVR9', 'HbVEu9BmlU', 'Fs3EwZXFxy', 'yU8EVq9moq', 'qZLEQyYlfb'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, OimXPJ21cqVTQHZAbD.csHigh entropy of concatenated method names: 'v7wfGuFvx6', 'CnufJrQmR9', 'y6NfMYPoS3', 'P1hfgGF3JT', 'q4Yfjx15Ry', 'CUWfcmJeIm', 'phafiry9q4', 'tLGfexfZMq', 'DR3fKjt2dA', 'q15fIKuou0'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, dJ1DG7zThxA1XO7tHU.csHigh entropy of concatenated method names: 'rY5xd4cIlg', 'b10xOsHpw0', 'lJoxTn1HAS', 'HNmxG9xOaq', 'G9LxJMUGHv', 'RM7xgvvbBY', 'A3bxjgJIGK', 'rroxBq8VkE', 'tVDxAqC81W', 'uRRxNidDSN'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, URBpJYuUOiqnwSLstk.csHigh entropy of concatenated method names: 'AYs7O1xA6j', 'Bpi7Td8dHK', 'Nic7GHJIoZ', 'wlm7JpENsf', 's7Q7gg8ktN', 'L117juSTJT', 'MUx7iHCQMl', 'FwB7eSRPjn', 'kfo7ILUn2N', 'zQV7PZOaEV'
              Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, STvBYiOPF3W7NGdnQE.csHigh entropy of concatenated method names: 'WOqpwoEitK', 'XJNpVdNW28', 'OtxpQf3no4', 'tMVptnFnTa', 'ju0p4WaY1J', 'X7LpaZSLth', 'lQEpRrBvCZ', 'fX2p0sE3Ri', 'hgOp2xN38s', 'EUHpCaaAoS'
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeFile created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp"

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: Payment Advice D 0024679526 3930.exe PID: 7016, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: OyXCaSLaAXfAKx.exe PID: 4916, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory allocated: 8090000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory allocated: 9090000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory allocated: 9240000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory allocated: A240000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMemory allocated: 2DE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMemory allocated: 78C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMemory allocated: 88C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMemory allocated: 8A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMemory allocated: 9A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0162096E rdtsc 8_2_0162096E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3123Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3370Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeAPI coverage: 0.6 %
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeAPI coverage: 0.4 %
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe TID: 7076Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4948Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6996Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe TID: 4180Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe TID: 7276Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe TID: 7388Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0162096E rdtsc 8_2_0162096E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_004178E3 LdrLoadDll,8_2_004178E3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6154 mov eax, dword ptr fs:[00000030h]8_2_015E6154
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6154 mov eax, dword ptr fs:[00000030h]8_2_015E6154
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DC156 mov eax, dword ptr fs:[00000030h]8_2_015DC156
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4164 mov eax, dword ptr fs:[00000030h]8_2_016B4164
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4164 mov eax, dword ptr fs:[00000030h]8_2_016B4164
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01674144 mov eax, dword ptr fs:[00000030h]8_2_01674144
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01674144 mov eax, dword ptr fs:[00000030h]8_2_01674144
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01674144 mov ecx, dword ptr fs:[00000030h]8_2_01674144
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01674144 mov eax, dword ptr fs:[00000030h]8_2_01674144
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01674144 mov eax, dword ptr fs:[00000030h]8_2_01674144
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01678158 mov eax, dword ptr fs:[00000030h]8_2_01678158
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01610124 mov eax, dword ptr fs:[00000030h]8_2_01610124
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov ecx, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov ecx, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov ecx, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E10E mov ecx, dword ptr fs:[00000030h]8_2_0168E10E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168A118 mov ecx, dword ptr fs:[00000030h]8_2_0168A118
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168A118 mov eax, dword ptr fs:[00000030h]8_2_0168A118
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168A118 mov eax, dword ptr fs:[00000030h]8_2_0168A118
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168A118 mov eax, dword ptr fs:[00000030h]8_2_0168A118
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A0115 mov eax, dword ptr fs:[00000030h]8_2_016A0115
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B61E5 mov eax, dword ptr fs:[00000030h]8_2_016B61E5
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016101F8 mov eax, dword ptr fs:[00000030h]8_2_016101F8
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A61C3 mov eax, dword ptr fs:[00000030h]8_2_016A61C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A61C3 mov eax, dword ptr fs:[00000030h]8_2_016A61C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E1D0 mov eax, dword ptr fs:[00000030h]8_2_0165E1D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E1D0 mov eax, dword ptr fs:[00000030h]8_2_0165E1D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E1D0 mov ecx, dword ptr fs:[00000030h]8_2_0165E1D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E1D0 mov eax, dword ptr fs:[00000030h]8_2_0165E1D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E1D0 mov eax, dword ptr fs:[00000030h]8_2_0165E1D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DA197 mov eax, dword ptr fs:[00000030h]8_2_015DA197
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DA197 mov eax, dword ptr fs:[00000030h]8_2_015DA197
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DA197 mov eax, dword ptr fs:[00000030h]8_2_015DA197
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169C188 mov eax, dword ptr fs:[00000030h]8_2_0169C188
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169C188 mov eax, dword ptr fs:[00000030h]8_2_0169C188
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01620185 mov eax, dword ptr fs:[00000030h]8_2_01620185
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01684180 mov eax, dword ptr fs:[00000030h]8_2_01684180
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01684180 mov eax, dword ptr fs:[00000030h]8_2_01684180
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166019F mov eax, dword ptr fs:[00000030h]8_2_0166019F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166019F mov eax, dword ptr fs:[00000030h]8_2_0166019F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166019F mov eax, dword ptr fs:[00000030h]8_2_0166019F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166019F mov eax, dword ptr fs:[00000030h]8_2_0166019F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E2050 mov eax, dword ptr fs:[00000030h]8_2_015E2050
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160C073 mov eax, dword ptr fs:[00000030h]8_2_0160C073
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01666050 mov eax, dword ptr fs:[00000030h]8_2_01666050
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE016 mov eax, dword ptr fs:[00000030h]8_2_015FE016
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE016 mov eax, dword ptr fs:[00000030h]8_2_015FE016
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE016 mov eax, dword ptr fs:[00000030h]8_2_015FE016
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE016 mov eax, dword ptr fs:[00000030h]8_2_015FE016
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01676030 mov eax, dword ptr fs:[00000030h]8_2_01676030
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01664000 mov ecx, dword ptr fs:[00000030h]8_2_01664000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01682000 mov eax, dword ptr fs:[00000030h]8_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01682000 mov eax, dword ptr fs:[00000030h]8_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01682000 mov eax, dword ptr fs:[00000030h]8_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01682000 mov eax, dword ptr fs:[00000030h]8_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01682000 mov eax, dword ptr fs:[00000030h]8_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01682000 mov eax, dword ptr fs:[00000030h]8_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01682000 mov eax, dword ptr fs:[00000030h]8_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01682000 mov eax, dword ptr fs:[00000030h]8_2_01682000
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DA020 mov eax, dword ptr fs:[00000030h]8_2_015DA020
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DC020 mov eax, dword ptr fs:[00000030h]8_2_015DC020
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016660E0 mov eax, dword ptr fs:[00000030h]8_2_016660E0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016220F0 mov ecx, dword ptr fs:[00000030h]8_2_016220F0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DC0F0 mov eax, dword ptr fs:[00000030h]8_2_015DC0F0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E80E9 mov eax, dword ptr fs:[00000030h]8_2_015E80E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016620DE mov eax, dword ptr fs:[00000030h]8_2_016620DE
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DA0E3 mov ecx, dword ptr fs:[00000030h]8_2_015DA0E3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016780A8 mov eax, dword ptr fs:[00000030h]8_2_016780A8
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A60B8 mov eax, dword ptr fs:[00000030h]8_2_016A60B8
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A60B8 mov ecx, dword ptr fs:[00000030h]8_2_016A60B8
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E208A mov eax, dword ptr fs:[00000030h]8_2_015E208A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D80A0 mov eax, dword ptr fs:[00000030h]8_2_015D80A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168437C mov eax, dword ptr fs:[00000030h]8_2_0168437C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B634F mov eax, dword ptr fs:[00000030h]8_2_016B634F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01662349 mov eax, dword ptr fs:[00000030h]8_2_01662349
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AA352 mov eax, dword ptr fs:[00000030h]8_2_016AA352
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01688350 mov ecx, dword ptr fs:[00000030h]8_2_01688350
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166035C mov eax, dword ptr fs:[00000030h]8_2_0166035C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166035C mov eax, dword ptr fs:[00000030h]8_2_0166035C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166035C mov eax, dword ptr fs:[00000030h]8_2_0166035C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166035C mov ecx, dword ptr fs:[00000030h]8_2_0166035C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166035C mov eax, dword ptr fs:[00000030h]8_2_0166035C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166035C mov eax, dword ptr fs:[00000030h]8_2_0166035C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DC310 mov ecx, dword ptr fs:[00000030h]8_2_015DC310
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B8324 mov eax, dword ptr fs:[00000030h]8_2_016B8324
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B8324 mov ecx, dword ptr fs:[00000030h]8_2_016B8324
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B8324 mov eax, dword ptr fs:[00000030h]8_2_016B8324
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B8324 mov eax, dword ptr fs:[00000030h]8_2_016B8324
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A30B mov eax, dword ptr fs:[00000030h]8_2_0161A30B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A30B mov eax, dword ptr fs:[00000030h]8_2_0161A30B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A30B mov eax, dword ptr fs:[00000030h]8_2_0161A30B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01600310 mov ecx, dword ptr fs:[00000030h]8_2_01600310
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E83C0 mov eax, dword ptr fs:[00000030h]8_2_015E83C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E83C0 mov eax, dword ptr fs:[00000030h]8_2_015E83C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E83C0 mov eax, dword ptr fs:[00000030h]8_2_015E83C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E83C0 mov eax, dword ptr fs:[00000030h]8_2_015E83C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h]8_2_015EA3C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h]8_2_015EA3C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h]8_2_015EA3C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h]8_2_015EA3C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h]8_2_015EA3C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h]8_2_015EA3C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016163FF mov eax, dword ptr fs:[00000030h]8_2_016163FF
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169C3CD mov eax, dword ptr fs:[00000030h]8_2_0169C3CD
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016663C0 mov eax, dword ptr fs:[00000030h]8_2_016663C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE3F0 mov eax, dword ptr fs:[00000030h]8_2_015FE3F0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE3F0 mov eax, dword ptr fs:[00000030h]8_2_015FE3F0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE3F0 mov eax, dword ptr fs:[00000030h]8_2_015FE3F0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E3DB mov eax, dword ptr fs:[00000030h]8_2_0168E3DB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E3DB mov eax, dword ptr fs:[00000030h]8_2_0168E3DB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E3DB mov ecx, dword ptr fs:[00000030h]8_2_0168E3DB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168E3DB mov eax, dword ptr fs:[00000030h]8_2_0168E3DB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h]8_2_015F03E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h]8_2_015F03E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h]8_2_015F03E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h]8_2_015F03E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h]8_2_015F03E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h]8_2_015F03E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h]8_2_015F03E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h]8_2_015F03E9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016843D4 mov eax, dword ptr fs:[00000030h]8_2_016843D4
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016843D4 mov eax, dword ptr fs:[00000030h]8_2_016843D4
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D8397 mov eax, dword ptr fs:[00000030h]8_2_015D8397
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D8397 mov eax, dword ptr fs:[00000030h]8_2_015D8397
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D8397 mov eax, dword ptr fs:[00000030h]8_2_015D8397
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DE388 mov eax, dword ptr fs:[00000030h]8_2_015DE388
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DE388 mov eax, dword ptr fs:[00000030h]8_2_015DE388
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DE388 mov eax, dword ptr fs:[00000030h]8_2_015DE388
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160438F mov eax, dword ptr fs:[00000030h]8_2_0160438F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160438F mov eax, dword ptr fs:[00000030h]8_2_0160438F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6259 mov eax, dword ptr fs:[00000030h]8_2_015E6259
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DA250 mov eax, dword ptr fs:[00000030h]8_2_015DA250
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01690274 mov eax, dword ptr fs:[00000030h]8_2_01690274
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01668243 mov eax, dword ptr fs:[00000030h]8_2_01668243
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01668243 mov ecx, dword ptr fs:[00000030h]8_2_01668243
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D826B mov eax, dword ptr fs:[00000030h]8_2_015D826B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B625D mov eax, dword ptr fs:[00000030h]8_2_016B625D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169A250 mov eax, dword ptr fs:[00000030h]8_2_0169A250
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169A250 mov eax, dword ptr fs:[00000030h]8_2_0169A250
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E4260 mov eax, dword ptr fs:[00000030h]8_2_015E4260
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E4260 mov eax, dword ptr fs:[00000030h]8_2_015E4260
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E4260 mov eax, dword ptr fs:[00000030h]8_2_015E4260
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D823B mov eax, dword ptr fs:[00000030h]8_2_015D823B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h]8_2_015EA2C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h]8_2_015EA2C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h]8_2_015EA2C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h]8_2_015EA2C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h]8_2_015EA2C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B62D6 mov eax, dword ptr fs:[00000030h]8_2_016B62D6
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F02E1 mov eax, dword ptr fs:[00000030h]8_2_015F02E1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F02E1 mov eax, dword ptr fs:[00000030h]8_2_015F02E1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F02E1 mov eax, dword ptr fs:[00000030h]8_2_015F02E1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h]8_2_016762A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016762A0 mov ecx, dword ptr fs:[00000030h]8_2_016762A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h]8_2_016762A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h]8_2_016762A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h]8_2_016762A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h]8_2_016762A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01660283 mov eax, dword ptr fs:[00000030h]8_2_01660283
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01660283 mov eax, dword ptr fs:[00000030h]8_2_01660283
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01660283 mov eax, dword ptr fs:[00000030h]8_2_01660283
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E284 mov eax, dword ptr fs:[00000030h]8_2_0161E284
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E284 mov eax, dword ptr fs:[00000030h]8_2_0161E284
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F02A0 mov eax, dword ptr fs:[00000030h]8_2_015F02A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F02A0 mov eax, dword ptr fs:[00000030h]8_2_015F02A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161656A mov eax, dword ptr fs:[00000030h]8_2_0161656A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161656A mov eax, dword ptr fs:[00000030h]8_2_0161656A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161656A mov eax, dword ptr fs:[00000030h]8_2_0161656A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E8550 mov eax, dword ptr fs:[00000030h]8_2_015E8550
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E8550 mov eax, dword ptr fs:[00000030h]8_2_015E8550
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h]8_2_0160E53E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h]8_2_0160E53E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h]8_2_0160E53E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h]8_2_0160E53E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h]8_2_0160E53E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01676500 mov eax, dword ptr fs:[00000030h]8_2_01676500
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h]8_2_015F0535
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h]8_2_015F0535
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h]8_2_015F0535
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h]8_2_015F0535
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h]8_2_015F0535
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h]8_2_015F0535
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h]8_2_016B4500
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h]8_2_016B4500
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h]8_2_016B4500
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h]8_2_016B4500
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h]8_2_016B4500
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h]8_2_016B4500
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h]8_2_016B4500
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h]8_2_0160E5E7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h]8_2_0160E5E7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h]8_2_0160E5E7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h]8_2_0160E5E7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h]8_2_0160E5E7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h]8_2_0160E5E7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h]8_2_0160E5E7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h]8_2_0160E5E7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161C5ED mov eax, dword ptr fs:[00000030h]8_2_0161C5ED
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161C5ED mov eax, dword ptr fs:[00000030h]8_2_0161C5ED
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E65D0 mov eax, dword ptr fs:[00000030h]8_2_015E65D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E5CF mov eax, dword ptr fs:[00000030h]8_2_0161E5CF
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E5CF mov eax, dword ptr fs:[00000030h]8_2_0161E5CF
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A5D0 mov eax, dword ptr fs:[00000030h]8_2_0161A5D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A5D0 mov eax, dword ptr fs:[00000030h]8_2_0161A5D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E25E0 mov eax, dword ptr fs:[00000030h]8_2_015E25E0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016605A7 mov eax, dword ptr fs:[00000030h]8_2_016605A7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016605A7 mov eax, dword ptr fs:[00000030h]8_2_016605A7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016605A7 mov eax, dword ptr fs:[00000030h]8_2_016605A7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016045B1 mov eax, dword ptr fs:[00000030h]8_2_016045B1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016045B1 mov eax, dword ptr fs:[00000030h]8_2_016045B1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E2582 mov eax, dword ptr fs:[00000030h]8_2_015E2582
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E2582 mov ecx, dword ptr fs:[00000030h]8_2_015E2582
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01614588 mov eax, dword ptr fs:[00000030h]8_2_01614588
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E59C mov eax, dword ptr fs:[00000030h]8_2_0161E59C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D645D mov eax, dword ptr fs:[00000030h]8_2_015D645D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166C460 mov ecx, dword ptr fs:[00000030h]8_2_0166C460
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160A470 mov eax, dword ptr fs:[00000030h]8_2_0160A470
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160A470 mov eax, dword ptr fs:[00000030h]8_2_0160A470
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160A470 mov eax, dword ptr fs:[00000030h]8_2_0160A470
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h]8_2_0161E443
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h]8_2_0161E443
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h]8_2_0161E443
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h]8_2_0161E443
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h]8_2_0161E443
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h]8_2_0161E443
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h]8_2_0161E443
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h]8_2_0161E443
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160245A mov eax, dword ptr fs:[00000030h]8_2_0160245A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169A456 mov eax, dword ptr fs:[00000030h]8_2_0169A456
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01666420 mov eax, dword ptr fs:[00000030h]8_2_01666420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01666420 mov eax, dword ptr fs:[00000030h]8_2_01666420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01666420 mov eax, dword ptr fs:[00000030h]8_2_01666420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01666420 mov eax, dword ptr fs:[00000030h]8_2_01666420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01666420 mov eax, dword ptr fs:[00000030h]8_2_01666420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01666420 mov eax, dword ptr fs:[00000030h]8_2_01666420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01666420 mov eax, dword ptr fs:[00000030h]8_2_01666420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A430 mov eax, dword ptr fs:[00000030h]8_2_0161A430
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01618402 mov eax, dword ptr fs:[00000030h]8_2_01618402
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01618402 mov eax, dword ptr fs:[00000030h]8_2_01618402
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01618402 mov eax, dword ptr fs:[00000030h]8_2_01618402
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DC427 mov eax, dword ptr fs:[00000030h]8_2_015DC427
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DE420 mov eax, dword ptr fs:[00000030h]8_2_015DE420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DE420 mov eax, dword ptr fs:[00000030h]8_2_015DE420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DE420 mov eax, dword ptr fs:[00000030h]8_2_015DE420
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E04E5 mov ecx, dword ptr fs:[00000030h]8_2_015E04E5
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016144B0 mov ecx, dword ptr fs:[00000030h]8_2_016144B0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166A4B0 mov eax, dword ptr fs:[00000030h]8_2_0166A4B0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0169A49A mov eax, dword ptr fs:[00000030h]8_2_0169A49A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E64AB mov eax, dword ptr fs:[00000030h]8_2_015E64AB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E0750 mov eax, dword ptr fs:[00000030h]8_2_015E0750
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161674D mov esi, dword ptr fs:[00000030h]8_2_0161674D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161674D mov eax, dword ptr fs:[00000030h]8_2_0161674D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161674D mov eax, dword ptr fs:[00000030h]8_2_0161674D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E8770 mov eax, dword ptr fs:[00000030h]8_2_015E8770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h]8_2_015F0770
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622750 mov eax, dword ptr fs:[00000030h]8_2_01622750
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622750 mov eax, dword ptr fs:[00000030h]8_2_01622750
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01664755 mov eax, dword ptr fs:[00000030h]8_2_01664755
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166E75D mov eax, dword ptr fs:[00000030h]8_2_0166E75D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161C720 mov eax, dword ptr fs:[00000030h]8_2_0161C720
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161C720 mov eax, dword ptr fs:[00000030h]8_2_0161C720
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E0710 mov eax, dword ptr fs:[00000030h]8_2_015E0710
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165C730 mov eax, dword ptr fs:[00000030h]8_2_0165C730
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161273C mov eax, dword ptr fs:[00000030h]8_2_0161273C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161273C mov ecx, dword ptr fs:[00000030h]8_2_0161273C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161273C mov eax, dword ptr fs:[00000030h]8_2_0161273C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161C700 mov eax, dword ptr fs:[00000030h]8_2_0161C700
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01610710 mov eax, dword ptr fs:[00000030h]8_2_01610710
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166E7E1 mov eax, dword ptr fs:[00000030h]8_2_0166E7E1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016027ED mov eax, dword ptr fs:[00000030h]8_2_016027ED
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016027ED mov eax, dword ptr fs:[00000030h]8_2_016027ED
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016027ED mov eax, dword ptr fs:[00000030h]8_2_016027ED
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EC7C0 mov eax, dword ptr fs:[00000030h]8_2_015EC7C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E47FB mov eax, dword ptr fs:[00000030h]8_2_015E47FB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E47FB mov eax, dword ptr fs:[00000030h]8_2_015E47FB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016607C3 mov eax, dword ptr fs:[00000030h]8_2_016607C3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016947A0 mov eax, dword ptr fs:[00000030h]8_2_016947A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168678E mov eax, dword ptr fs:[00000030h]8_2_0168678E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E07AF mov eax, dword ptr fs:[00000030h]8_2_015E07AF
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A660 mov eax, dword ptr fs:[00000030h]8_2_0161A660
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A660 mov eax, dword ptr fs:[00000030h]8_2_0161A660
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A866E mov eax, dword ptr fs:[00000030h]8_2_016A866E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A866E mov eax, dword ptr fs:[00000030h]8_2_016A866E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01612674 mov eax, dword ptr fs:[00000030h]8_2_01612674
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FC640 mov eax, dword ptr fs:[00000030h]8_2_015FC640
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01616620 mov eax, dword ptr fs:[00000030h]8_2_01616620
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01618620 mov eax, dword ptr fs:[00000030h]8_2_01618620
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F260B mov eax, dword ptr fs:[00000030h]8_2_015F260B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F260B mov eax, dword ptr fs:[00000030h]8_2_015F260B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F260B mov eax, dword ptr fs:[00000030h]8_2_015F260B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F260B mov eax, dword ptr fs:[00000030h]8_2_015F260B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F260B mov eax, dword ptr fs:[00000030h]8_2_015F260B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F260B mov eax, dword ptr fs:[00000030h]8_2_015F260B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F260B mov eax, dword ptr fs:[00000030h]8_2_015F260B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E609 mov eax, dword ptr fs:[00000030h]8_2_0165E609
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E262C mov eax, dword ptr fs:[00000030h]8_2_015E262C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015FE627 mov eax, dword ptr fs:[00000030h]8_2_015FE627
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01622619 mov eax, dword ptr fs:[00000030h]8_2_01622619
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E6F2 mov eax, dword ptr fs:[00000030h]8_2_0165E6F2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E6F2 mov eax, dword ptr fs:[00000030h]8_2_0165E6F2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E6F2 mov eax, dword ptr fs:[00000030h]8_2_0165E6F2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E6F2 mov eax, dword ptr fs:[00000030h]8_2_0165E6F2
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016606F1 mov eax, dword ptr fs:[00000030h]8_2_016606F1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016606F1 mov eax, dword ptr fs:[00000030h]8_2_016606F1
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0161A6C7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A6C7 mov eax, dword ptr fs:[00000030h]8_2_0161A6C7
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161C6A6 mov eax, dword ptr fs:[00000030h]8_2_0161C6A6
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E4690 mov eax, dword ptr fs:[00000030h]8_2_015E4690
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E4690 mov eax, dword ptr fs:[00000030h]8_2_015E4690
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016166B0 mov eax, dword ptr fs:[00000030h]8_2_016166B0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01606962 mov eax, dword ptr fs:[00000030h]8_2_01606962
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01606962 mov eax, dword ptr fs:[00000030h]8_2_01606962
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01606962 mov eax, dword ptr fs:[00000030h]8_2_01606962
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0162096E mov eax, dword ptr fs:[00000030h]8_2_0162096E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0162096E mov edx, dword ptr fs:[00000030h]8_2_0162096E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0162096E mov eax, dword ptr fs:[00000030h]8_2_0162096E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01684978 mov eax, dword ptr fs:[00000030h]8_2_01684978
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01684978 mov eax, dword ptr fs:[00000030h]8_2_01684978
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166C97C mov eax, dword ptr fs:[00000030h]8_2_0166C97C
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01660946 mov eax, dword ptr fs:[00000030h]8_2_01660946
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4940 mov eax, dword ptr fs:[00000030h]8_2_016B4940
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D8918 mov eax, dword ptr fs:[00000030h]8_2_015D8918
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D8918 mov eax, dword ptr fs:[00000030h]8_2_015D8918
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166892A mov eax, dword ptr fs:[00000030h]8_2_0166892A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0167892B mov eax, dword ptr fs:[00000030h]8_2_0167892B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E908 mov eax, dword ptr fs:[00000030h]8_2_0165E908
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165E908 mov eax, dword ptr fs:[00000030h]8_2_0165E908
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166C912 mov eax, dword ptr fs:[00000030h]8_2_0166C912
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166E9E0 mov eax, dword ptr fs:[00000030h]8_2_0166E9E0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h]8_2_015EA9D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h]8_2_015EA9D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h]8_2_015EA9D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h]8_2_015EA9D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h]8_2_015EA9D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h]8_2_015EA9D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016129F9 mov eax, dword ptr fs:[00000030h]8_2_016129F9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016129F9 mov eax, dword ptr fs:[00000030h]8_2_016129F9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016769C0 mov eax, dword ptr fs:[00000030h]8_2_016769C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016149D0 mov eax, dword ptr fs:[00000030h]8_2_016149D0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AA9D3 mov eax, dword ptr fs:[00000030h]8_2_016AA9D3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016689B3 mov esi, dword ptr fs:[00000030h]8_2_016689B3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016689B3 mov eax, dword ptr fs:[00000030h]8_2_016689B3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016689B3 mov eax, dword ptr fs:[00000030h]8_2_016689B3
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E09AD mov eax, dword ptr fs:[00000030h]8_2_015E09AD
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E09AD mov eax, dword ptr fs:[00000030h]8_2_015E09AD
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h]8_2_015F29A0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E4859 mov eax, dword ptr fs:[00000030h]8_2_015E4859
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E4859 mov eax, dword ptr fs:[00000030h]8_2_015E4859
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166E872 mov eax, dword ptr fs:[00000030h]8_2_0166E872
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166E872 mov eax, dword ptr fs:[00000030h]8_2_0166E872
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01676870 mov eax, dword ptr fs:[00000030h]8_2_01676870
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01676870 mov eax, dword ptr fs:[00000030h]8_2_01676870
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F2840 mov ecx, dword ptr fs:[00000030h]8_2_015F2840
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01610854 mov eax, dword ptr fs:[00000030h]8_2_01610854
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161A830 mov eax, dword ptr fs:[00000030h]8_2_0161A830
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168483A mov eax, dword ptr fs:[00000030h]8_2_0168483A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168483A mov eax, dword ptr fs:[00000030h]8_2_0168483A
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01602835 mov eax, dword ptr fs:[00000030h]8_2_01602835
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01602835 mov eax, dword ptr fs:[00000030h]8_2_01602835
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01602835 mov eax, dword ptr fs:[00000030h]8_2_01602835
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01602835 mov ecx, dword ptr fs:[00000030h]8_2_01602835
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01602835 mov eax, dword ptr fs:[00000030h]8_2_01602835
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01602835 mov eax, dword ptr fs:[00000030h]8_2_01602835
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166C810 mov eax, dword ptr fs:[00000030h]8_2_0166C810
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AA8E4 mov eax, dword ptr fs:[00000030h]8_2_016AA8E4
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161C8F9 mov eax, dword ptr fs:[00000030h]8_2_0161C8F9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161C8F9 mov eax, dword ptr fs:[00000030h]8_2_0161C8F9
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160E8C0 mov eax, dword ptr fs:[00000030h]8_2_0160E8C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B08C0 mov eax, dword ptr fs:[00000030h]8_2_016B08C0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E0887 mov eax, dword ptr fs:[00000030h]8_2_015E0887
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166C89D mov eax, dword ptr fs:[00000030h]8_2_0166C89D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015D8B50 mov eax, dword ptr fs:[00000030h]8_2_015D8B50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01694B4B mov eax, dword ptr fs:[00000030h]8_2_01694B4B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01694B4B mov eax, dword ptr fs:[00000030h]8_2_01694B4B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015DCB7E mov eax, dword ptr fs:[00000030h]8_2_015DCB7E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01676B40 mov eax, dword ptr fs:[00000030h]8_2_01676B40
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01676B40 mov eax, dword ptr fs:[00000030h]8_2_01676B40
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016AAB40 mov eax, dword ptr fs:[00000030h]8_2_016AAB40
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01688B42 mov eax, dword ptr fs:[00000030h]8_2_01688B42
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168EB50 mov eax, dword ptr fs:[00000030h]8_2_0168EB50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B2B57 mov eax, dword ptr fs:[00000030h]8_2_016B2B57
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B2B57 mov eax, dword ptr fs:[00000030h]8_2_016B2B57
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B2B57 mov eax, dword ptr fs:[00000030h]8_2_016B2B57
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B2B57 mov eax, dword ptr fs:[00000030h]8_2_016B2B57
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160EB20 mov eax, dword ptr fs:[00000030h]8_2_0160EB20
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160EB20 mov eax, dword ptr fs:[00000030h]8_2_0160EB20
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A8B28 mov eax, dword ptr fs:[00000030h]8_2_016A8B28
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016A8B28 mov eax, dword ptr fs:[00000030h]8_2_016A8B28
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_016B4B00 mov eax, dword ptr fs:[00000030h]8_2_016B4B00
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h]8_2_0165EB1D
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E0BCD mov eax, dword ptr fs:[00000030h]8_2_015E0BCD
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E0BCD mov eax, dword ptr fs:[00000030h]8_2_015E0BCD
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E0BCD mov eax, dword ptr fs:[00000030h]8_2_015E0BCD
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166CBF0 mov eax, dword ptr fs:[00000030h]8_2_0166CBF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160EBFC mov eax, dword ptr fs:[00000030h]8_2_0160EBFC
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01600BCB mov eax, dword ptr fs:[00000030h]8_2_01600BCB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01600BCB mov eax, dword ptr fs:[00000030h]8_2_01600BCB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01600BCB mov eax, dword ptr fs:[00000030h]8_2_01600BCB
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E8BF0 mov eax, dword ptr fs:[00000030h]8_2_015E8BF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E8BF0 mov eax, dword ptr fs:[00000030h]8_2_015E8BF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E8BF0 mov eax, dword ptr fs:[00000030h]8_2_015E8BF0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168EBD0 mov eax, dword ptr fs:[00000030h]8_2_0168EBD0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01694BB0 mov eax, dword ptr fs:[00000030h]8_2_01694BB0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01694BB0 mov eax, dword ptr fs:[00000030h]8_2_01694BB0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0BBE mov eax, dword ptr fs:[00000030h]8_2_015F0BBE
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0BBE mov eax, dword ptr fs:[00000030h]8_2_015F0BBE
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0A5B mov eax, dword ptr fs:[00000030h]8_2_015F0A5B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015F0A5B mov eax, dword ptr fs:[00000030h]8_2_015F0A5B
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0168EA60 mov eax, dword ptr fs:[00000030h]8_2_0168EA60
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161CA6F mov eax, dword ptr fs:[00000030h]8_2_0161CA6F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161CA6F mov eax, dword ptr fs:[00000030h]8_2_0161CA6F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161CA6F mov eax, dword ptr fs:[00000030h]8_2_0161CA6F
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h]8_2_015E6A50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h]8_2_015E6A50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h]8_2_015E6A50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h]8_2_015E6A50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h]8_2_015E6A50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h]8_2_015E6A50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h]8_2_015E6A50
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165CA72 mov eax, dword ptr fs:[00000030h]8_2_0165CA72
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0165CA72 mov eax, dword ptr fs:[00000030h]8_2_0165CA72
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161CA24 mov eax, dword ptr fs:[00000030h]8_2_0161CA24
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0160EA2E mov eax, dword ptr fs:[00000030h]8_2_0160EA2E
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01604A35 mov eax, dword ptr fs:[00000030h]8_2_01604A35
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01604A35 mov eax, dword ptr fs:[00000030h]8_2_01604A35
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161CA38 mov eax, dword ptr fs:[00000030h]8_2_0161CA38
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0166CA11 mov eax, dword ptr fs:[00000030h]8_2_0166CA11
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015E0AD0 mov eax, dword ptr fs:[00000030h]8_2_015E0AD0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161AAEE mov eax, dword ptr fs:[00000030h]8_2_0161AAEE
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_0161AAEE mov eax, dword ptr fs:[00000030h]8_2_0161AAEE
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01636ACC mov eax, dword ptr fs:[00000030h]8_2_01636ACC
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01636ACC mov eax, dword ptr fs:[00000030h]8_2_01636ACC
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01636ACC mov eax, dword ptr fs:[00000030h]8_2_01636ACC
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01614AD0 mov eax, dword ptr fs:[00000030h]8_2_01614AD0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01614AD0 mov eax, dword ptr fs:[00000030h]8_2_01614AD0
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_01636AA4 mov eax, dword ptr fs:[00000030h]8_2_01636AA4
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EEA80 mov eax, dword ptr fs:[00000030h]8_2_015EEA80
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeCode function: 8_2_015EEA80 mov eax, dword ptr fs:[00000030h]8_2_015EEA80
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeMemory written: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeMemory written: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeProcess created: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeProcess created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeQueries volume information: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping12
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              Scheduled Task/Job              		11
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		41
              Virtualization/Sandbox Evasion              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562305 Sample: Payment Advice D 0024679526... Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 44 Antivirus / Scanner detection for submitted sample 2->44 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 9 other signatures 2->50 7 Payment Advice D 0024679526 3930.exe 7 2->7         started        11 OyXCaSLaAXfAKx.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\OyXCaSLaAXfAKx.exe, PE32 7->36 dropped 38 C:\...\OyXCaSLaAXfAKx.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp7D3C.tmp, XML 7->40 dropped 42 Payment Advice D 0024679526 3930.exe.log, ASCII 7->42 dropped 52 Adds a directory exclusion to Windows Defender 7->52 54 Injects a PE file into a foreign processes 7->54 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 Payment Advice D 0024679526 3930.exe 7->20         started        56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 schtasks.exe 1 11->22         started        24 OyXCaSLaAXfAKx.exe 11->24         started        signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 conhost.exe 22->34         started        process8

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Payment Advice D 0024679526 3930.exe66%ReversingLabsByteCode-MSIL.Trojan.Taskun
              Payment Advice D 0024679526 3930.exe100%AviraHEUR/AGEN.1306899
              Payment Advice D 0024679526 3930.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe100%AviraHEUR/AGEN.1306899
              C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe66%ReversingLabsByteCode-MSIL.Trojan.Taskun

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fp2e7a.wpc.phicdn.net
              		192.229.221.95
              		truefalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThePayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers?Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.tiro.comPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.carterandcone.comlPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.comPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.typography.netDPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/cabarga.htmlNPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cThePayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/staff/dennis.htmPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers/frere-user.htmlPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.galapagosdesign.com/DPleasePayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers8Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fonts.comPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.urwpp.deDPleasePayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.zhongyicts.com.cnPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment Advice D 0024679526 3930.exe, 00000000.00000002.1756504603.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, OyXCaSLaAXfAKx.exe, 00000009.00000002.1972391149.000000000302B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.sakkal.comPayment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    No contacted IP infos

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1562305
                                                                    Start date and time:2024-11-25 13:42:39 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 7m 54s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:18
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:Payment Advice D 0024679526 3930.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@19/15@0/0
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HCA Information:
                                                                    • Successful, ratio: 98%
                                                                    • Number of executed functions: 85
                                                                    • Number of non-executed functions: 292
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • VT rate limit hit for: Payment Advice D 0024679526 3930.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    07:43:32API Interceptor5x Sleep call for process: Payment Advice D 0024679526 3930.exe modified
                                                                    07:43:34API Interceptor41x Sleep call for process: powershell.exe modified
                                                                    07:43:39API Interceptor5x Sleep call for process: OyXCaSLaAXfAKx.exe modified
                                                                    12:43:35Task SchedulerRun new task: OyXCaSLaAXfAKx path: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    fp2e7a.wpc.phicdn.netfile.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                    • 192.229.221.95
                                                                    05.Unzipped.obfhotel22-11.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • 192.229.221.95
                                                                    0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                    • 192.229.221.95
                                                                    somes.exeGet hashmaliciousRedLineBrowse
                                                                    • 192.229.221.95
                                                                    segura.vbsGet hashmaliciousRemcosBrowse
                                                                    • 192.229.221.95
                                                                    asegurar.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                    • 192.229.221.95
                                                                    2Wr5r2e9vo.msiGet hashmaliciousUnknownBrowse
                                                                    • 192.229.221.95
                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                    • 192.229.221.95
                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                    • 192.229.221.95
                                                                    Outstanding Invoices_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                    • 192.229.221.95

                                                                    ASNs

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OyXCaSLaAXfAKx.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1216
                                                                    Entropy (8bit):5.34331486778365
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                    Malicious:false
                                                                    Reputation:high, very likely benign file
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice D 0024679526 3930.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1216
                                                                    Entropy (8bit):5.34331486778365
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                    Malicious:true
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):2232
                                                                    Entropy (8bit):5.379552885213346
                                                                    Encrypted:false
                                                                    SSDEEP:48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//MM0Uyus:fLHxvCsIfA2KRHmOugA1s
                                                                    MD5:D453258060AFEB6CAD05A86BCB4BA21D
                                                                    SHA1:E9E3DC45C2973773AAA422079A5AD945F1C86389
                                                                    SHA-256:CB241A1BDD284207E8ADD0BB2EEB08DB4B2FF9B86569D7E32FB84A9C9E97D857
                                                                    SHA-512:F9ED104279065F45CE0EEF584A4435C9B6B90F9DD6E1DE89D4EDB4F635E866A039969B3BDF112888312E3AABB91B2D73EF7CA3E8A7CB34A3CE042B6F1B3090AC
                                                                    Malicious:false
                                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5alykqpv.400.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adwrnhbt.uv1.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmz5baya.k3h.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ho1fhmnl.nwg.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m55eogfc.nfv.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_neppi3vh.drh.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otgoey53.eai.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqs1f13z.5kv.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1580
                                                                    Entropy (8bit):5.12079143005535
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtam++xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTN+yv
                                                                    MD5:F55D6FA75FE839FB54585D74ACB6A098
                                                                    SHA1:EEA88432999EA54E79A7B6A2DA0FCFD32264EE02
                                                                    SHA-256:A2AF55ECADF2BF027B3C2D0F730063E3E53BB5644A37259B5973ABCF2F5C240B
                                                                    SHA-512:BCE71C3AA929220877051840B2003202944C749952C8F5FBB00923173523F4C41BC1B28498D8125930BF22DD015660453B1113141550FDA8ED1C34B7B856B119
                                                                    Malicious:true
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                    C:\Users\user\AppData\Local\Temp\tmp9633.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1580
                                                                    Entropy (8bit):5.12079143005535
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtam++xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTN+yv
                                                                    MD5:F55D6FA75FE839FB54585D74ACB6A098
                                                                    SHA1:EEA88432999EA54E79A7B6A2DA0FCFD32264EE02
                                                                    SHA-256:A2AF55ECADF2BF027B3C2D0F730063E3E53BB5644A37259B5973ABCF2F5C240B
                                                                    SHA-512:BCE71C3AA929220877051840B2003202944C749952C8F5FBB00923173523F4C41BC1B28498D8125930BF22DD015660453B1113141550FDA8ED1C34B7B856B119
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                    C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):795648
                                                                    Entropy (8bit):7.937895494557865
                                                                    Encrypted:false
                                                                    SSDEEP:12288:RrOY+Ri3AgFdjR7fO2JmTuPoJexKRaSxyDXKNBljKnIs2NRpaKrT7kolfz27WB:eQ3AgFObAM9ecrgoNRp3rTYol1B
                                                                    MD5:DCD730D80C1A49C81B02EB90B5F9C4A6
                                                                    SHA1:6FD7CF911360120F2AF050611AC416045AC74C1B
                                                                    SHA-256:FBC1981C8C4B453464E63EA2155AA74D2E6E6DA1FD3268FD8B45E16C1D2BD0D2
                                                                    SHA-512:FAB0831D86F73F48598117D6455A4F234154DB1AF38D50F290D225194C23957BF1E57B29C5351018C37373339852D99205ECB263B3F90F6D6AD662C4A908A923
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.=g..............0...... ....... ... ...@....@.. ....................................`.....................................O....@..|....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......."..............@..B................. ......H........6...(...........^..(.............................................(......}.....{....r...p .....o5....{....o7...&*....0...........{......o9.....}........&.....*..................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=........*......+..E..........\b......2.{....oA...*n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

                                                                    C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe:Zone.Identifier

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.937895494557865
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:Payment Advice D 0024679526 3930.exe
                                                                    File size:795'648 bytes
                                                                    MD5:dcd730d80c1a49c81b02eb90b5f9c4a6
                                                                    SHA1:6fd7cf911360120f2af050611ac416045ac74c1b
                                                                    SHA256:fbc1981c8c4b453464e63ea2155aa74d2e6e6da1fd3268fd8b45e16c1d2bd0d2
                                                                    SHA512:fab0831d86f73f48598117d6455a4f234154db1af38d50f290d225194c23957bf1e57b29c5351018c37373339852d99205ecb263b3f90f6d6ad662c4a908a923
                                                                    SSDEEP:12288:RrOY+Ri3AgFdjR7fO2JmTuPoJexKRaSxyDXKNBljKnIs2NRpaKrT7kolfz27WB:eQ3AgFObAM9ecrgoNRp3rTYol1B
                                                                    TLSH:9A0523E877FD6923C42D75B084E34140CA387C19EA44EF9C47CC7D96972679C8AE63A2
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.=g..............0...... ....... ... ...@....@.. ....................................`................................

                                                                    File Icon

                                                                    Icon Hash:8bdb4b414d656d61

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4c202e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x673D984B [Wed Nov 20 08:05:31 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc1fdc0x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x1d7c.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xc00340xc02009797131742d7e5dacbb497688233b2e2False0.9610810934450228data7.944349569066882IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xc40000x1d7c0x1e0026b4c7fb9a0be3e9f38c5b1756b993daFalse0.8059895833333334data7.3215781856341655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xc60000xc0x20077d6202716b5121c38bf83519d4cd282False0.044921875data0.09409792566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0xc41000x1733PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9151372284896447
                                                                    RT_GROUP_ICON0xc58440x14data1.05
                                                                    RT_VERSION0xc58680x314data0.43274111675126903
                                                                    RT_MANIFEST0xc5b8c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Nov 25, 2024 13:43:28.026849985 CET1.1.1.1192.168.2.40x5191No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                    Nov 25, 2024 13:43:28.026849985 CET1.1.1.1192.168.2.40x5191No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:07:43:31
                                                                    Start date:25/11/2024
                                                                    Path:C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
                                                                    Imagebase:0xd40000
                                                                    File size:795'648 bytes
                                                                    MD5 hash:DCD730D80C1A49C81B02EB90B5F9C4A6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:07:43:33
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
                                                                    Imagebase:0x470000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:07:43:33
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:07:43:33
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"
                                                                    Imagebase:0x470000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:07:43:33
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:07:43:34
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp"
                                                                    Imagebase:0x3a0000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:07:43:34
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:07:43:34
                                                                    Start date:25/11/2024
                                                                    Path:C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
                                                                    Imagebase:0xa60000
                                                                    File size:795'648 bytes
                                                                    MD5 hash:DCD730D80C1A49C81B02EB90B5F9C4A6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:07:43:35
                                                                    Start date:25/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe
                                                                    Imagebase:0xac0000
                                                                    File size:795'648 bytes
                                                                    MD5 hash:DCD730D80C1A49C81B02EB90B5F9C4A6
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 66%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:07:43:37
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                    Imagebase:0x7ff693ab0000
                                                                    File size:496'640 bytes
                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:07:43:40
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp"
                                                                    Imagebase:0x3a0000
                                                                    File size:187'904 bytes
                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:07:43:40
                                                                    Start date:25/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:07:43:41
                                                                    Start date:25/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"
                                                                    Imagebase:0x830000
                                                                    File size:795'648 bytes
                                                                    MD5 hash:DCD730D80C1A49C81B02EB90B5F9C4A6
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:10.7%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:231
                                                                      Total number of Limit Nodes:5
                                                                      execution_graph 24831 5594668 24832 5594672 24831->24832 24836 5594758 24831->24836 24841 5593e28 24832->24841 24834 559468d 24837 559477d 24836->24837 24845 5594858 24837->24845 24849 5594868 24837->24849 24842 5593e33 24841->24842 24857 5595c24 24842->24857 24844 5596faf 24844->24834 24846 5594868 24845->24846 24847 559496c 24846->24847 24853 55944b0 24846->24853 24851 559488f 24849->24851 24850 559496c 24850->24850 24851->24850 24852 55944b0 CreateActCtxA 24851->24852 24852->24850 24854 55958f8 CreateActCtxA 24853->24854 24856 55959bb 24854->24856 24856->24856 24858 5595c2f 24857->24858 24861 5595c44 24858->24861 24860 5597055 24860->24844 24862 5595c4f 24861->24862 24865 5595c74 24862->24865 24864 559713a 24864->24860 24866 5595c7f 24865->24866 24869 5595ca4 24866->24869 24868 559722d 24868->24864 24870 5595caf 24869->24870 24872 559852b 24870->24872 24876 559abe2 24870->24876 24871 5598569 24871->24868 24872->24871 24880 559ccd8 24872->24880 24885 559ccc8 24872->24885 24890 559abff 24876->24890 24895 559ac10 24876->24895 24877 559abee 24877->24872 24881 559ccf9 24880->24881 24882 559cd1d 24881->24882 24930 559ce88 24881->24930 24934 559ce77 24881->24934 24882->24871 24886 559ccd8 24885->24886 24887 559cd1d 24886->24887 24888 559ce88 3 API calls 24886->24888 24889 559ce77 3 API calls 24886->24889 24887->24871 24888->24887 24889->24887 24891 559ac10 24890->24891 24899 559ad08 24891->24899 24909 559acf8 24891->24909 24892 559ac1f 24892->24877 24897 559ad08 2 API calls 24895->24897 24898 559acf8 2 API calls 24895->24898 24896 559ac1f 24896->24877 24897->24896 24898->24896 24900 559ad19 24899->24900 24903 559ad3c 24899->24903 24919 559a02c 24900->24919 24903->24892 24904 559ad34 24904->24903 24905 559af40 GetModuleHandleW 24904->24905 24906 559af6d 24905->24906 24906->24892 24910 559ad08 24909->24910 24911 559a02c GetModuleHandleW 24910->24911 24913 559ad3c 24910->24913 24912 559ad24 24911->24912 24912->24913 24917 559af90 GetModuleHandleW 24912->24917 24918 559afa0 GetModuleHandleW 24912->24918 24913->24892 24914 559ad34 24914->24913 24915 559af40 GetModuleHandleW 24914->24915 24916 559af6d 24915->24916 24916->24892 24917->24914 24918->24914 24920 559aef8 GetModuleHandleW 24919->24920 24922 559ad24 24920->24922 24922->24903 24923 559afa0 24922->24923 24926 559af90 24922->24926 24924 559a02c GetModuleHandleW 24923->24924 24925 559afb4 24924->24925 24925->24904 24927 559afa0 24926->24927 24928 559a02c GetModuleHandleW 24927->24928 24929 559afb4 24928->24929 24929->24904 24931 559ce95 24930->24931 24932 559cecf 24931->24932 24938 559ba40 24931->24938 24932->24882 24935 559ce88 24934->24935 24936 559cecf 24935->24936 24937 559ba40 3 API calls 24935->24937 24936->24882 24937->24936 24939 559ba4b 24938->24939 24941 559dbe8 24939->24941 24942 559d23c 24939->24942 24941->24941 24943 559d247 24942->24943 24944 5595ca4 3 API calls 24943->24944 24945 559dc57 24944->24945 24945->24941 24946 559cfa0 24947 559cfe6 24946->24947 24951 559d578 24947->24951 24954 559d588 24947->24954 24948 559d0d3 24957 559d1dc 24951->24957 24955 559d1dc DuplicateHandle 24954->24955 24956 559d5b6 24954->24956 24955->24956 24956->24948 24958 559d5f0 DuplicateHandle 24957->24958 24959 559d5b6 24958->24959 24959->24948 24659 79f84d0 24660 79f846a 24659->24660 24661 79f84d6 24659->24661 24664 79fae80 24661->24664 24665 79fae9a 24664->24665 24668 79fb199 24665->24668 24666 79f879a 24669 79fb1a1 24668->24669 24670 79fb1cf 24669->24670 24686 79fbcf6 24669->24686 24690 79fb3f9 24669->24690 24698 79fb420 24669->24698 24703 79fb445 24669->24703 24708 79fb665 24669->24708 24716 79fb585 24669->24716 24720 79fb488 24669->24720 24725 79fb949 24669->24725 24730 79fb6cb 24669->24730 24738 79fb38c 24669->24738 24743 79fb3ed 24669->24743 24748 79fb3b1 24669->24748 24753 79fbb32 24669->24753 24761 79fb332 24669->24761 24765 79fb534 24669->24765 24670->24666 24773 79f7d58 24686->24773 24777 79f7d60 24686->24777 24687 79fbd1a 24691 79fb419 24690->24691 24781 79f72a8 24691->24781 24785 79f72a0 24691->24785 24692 79fbc5d 24789 79f7788 24692->24789 24793 79f7790 24692->24793 24693 79fbcc4 24699 79fb432 24698->24699 24797 79f7c98 24699->24797 24801 79f7ca0 24699->24801 24700 79fb5da 24700->24670 24704 79fb464 24703->24704 24706 79f7d58 WriteProcessMemory 24704->24706 24707 79f7d60 WriteProcessMemory 24704->24707 24705 79fbb84 24706->24705 24707->24705 24709 79fb66d 24708->24709 24714 79f72a8 ResumeThread 24709->24714 24715 79f72a0 ResumeThread 24709->24715 24710 79fbc5d 24712 79f7788 Wow64SetThreadContext 24710->24712 24713 79f7790 Wow64SetThreadContext 24710->24713 24711 79fbcc4 24712->24711 24713->24711 24714->24710 24715->24710 24805 79fbf58 24716->24805 24810 79fbf68 24716->24810 24717 79fb59d 24717->24670 24721 79fb398 24720->24721 24721->24720 24723 79f7d58 WriteProcessMemory 24721->24723 24724 79f7d60 WriteProcessMemory 24721->24724 24722 79fb85b 24723->24722 24724->24722 24726 79fb94f 24725->24726 24815 79f7e48 24726->24815 24819 79f7e50 24726->24819 24727 79fb972 24727->24670 24731 79fb419 24730->24731 24734 79f72a8 ResumeThread 24731->24734 24735 79f72a0 ResumeThread 24731->24735 24732 79fbc5d 24736 79f7788 Wow64SetThreadContext 24732->24736 24737 79f7790 Wow64SetThreadContext 24732->24737 24733 79fbcc4 24734->24732 24735->24732 24736->24733 24737->24733 24739 79fb398 24738->24739 24741 79f7d58 WriteProcessMemory 24739->24741 24742 79f7d60 WriteProcessMemory 24739->24742 24740 79fb85b 24741->24740 24742->24740 24745 79fb398 24743->24745 24744 79fb85b 24746 79f7d58 WriteProcessMemory 24745->24746 24747 79f7d60 WriteProcessMemory 24745->24747 24746->24744 24747->24744 24749 79fb398 24748->24749 24751 79f7d58 WriteProcessMemory 24749->24751 24752 79f7d60 WriteProcessMemory 24749->24752 24750 79fb85b 24751->24750 24752->24750 24754 79fbb38 24753->24754 24759 79f72a8 ResumeThread 24754->24759 24760 79f72a0 ResumeThread 24754->24760 24755 79fbc5d 24757 79f7788 Wow64SetThreadContext 24755->24757 24758 79f7790 Wow64SetThreadContext 24755->24758 24756 79fbcc4 24757->24756 24758->24756 24759->24755 24760->24755 24823 79f7fdd 24761->24823 24827 79f7fe8 24761->24827 24768 79fb53a 24765->24768 24766 79fbc5d 24769 79f7788 Wow64SetThreadContext 24766->24769 24770 79f7790 Wow64SetThreadContext 24766->24770 24767 79fbcc4 24768->24766 24771 79f72a8 ResumeThread 24768->24771 24772 79f72a0 ResumeThread 24768->24772 24769->24767 24770->24767 24771->24766 24772->24766 24774 79f7d61 WriteProcessMemory 24773->24774 24776 79f7dff 24774->24776 24776->24687 24778 79f7da8 WriteProcessMemory 24777->24778 24780 79f7dff 24778->24780 24780->24687 24782 79f72e8 ResumeThread 24781->24782 24784 79f7319 24782->24784 24784->24692 24786 79f72a8 ResumeThread 24785->24786 24788 79f7319 24786->24788 24788->24692 24790 79f7791 Wow64SetThreadContext 24789->24790 24792 79f781d 24790->24792 24792->24693 24794 79f77d5 Wow64SetThreadContext 24793->24794 24796 79f781d 24794->24796 24796->24693 24798 79f7ca0 VirtualAllocEx 24797->24798 24800 79f7d1d 24798->24800 24800->24700 24802 79f7ce0 VirtualAllocEx 24801->24802 24804 79f7d1d 24802->24804 24804->24700 24806 79fbf61 24805->24806 24808 79f7788 Wow64SetThreadContext 24806->24808 24809 79f7790 Wow64SetThreadContext 24806->24809 24807 79fbf93 24807->24717 24808->24807 24809->24807 24811 79fbf7d 24810->24811 24813 79f7788 Wow64SetThreadContext 24811->24813 24814 79f7790 Wow64SetThreadContext 24811->24814 24812 79fbf93 24812->24717 24813->24812 24814->24812 24816 79f7e51 ReadProcessMemory 24815->24816 24818 79f7edf 24816->24818 24818->24727 24820 79f7e9b ReadProcessMemory 24819->24820 24822 79f7edf 24820->24822 24822->24727 24824 79f8071 CreateProcessA 24823->24824 24826 79f8233 24824->24826 24828 79f8071 CreateProcessA 24827->24828 24830 79f8233 24828->24830 24960 79fc120 24961 79fc2ab 24960->24961 24963 79fc146 24960->24963 24963->24961 24964 79f4a30 24963->24964 24965 79fc3a0 PostMessageW 24964->24965 24966 79fc40c 24965->24966 24966->24963

                                                                      Executed Functions

                                                                      Function 079F0948 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: I
                                                                      • API String ID: 0-3707901625
                                                                      • Opcode ID: e2bd32328d4fbb4258a0d71545d8d86027c79c814cf3fc1649a50300695f3622
                                                                      • Instruction ID: ed6c87f684ae56b29fd30a30e3e4f74748e7cb278f1a23b7e69dab69bc8344e6
                                                                      • Opcode Fuzzy Hash: e2bd32328d4fbb4258a0d71545d8d86027c79c814cf3fc1649a50300695f3622
                                                                      • Instruction Fuzzy Hash: 122142B1E056099BEB18CFAB9C016EEFBFBAFC9214F08C0B6D50866255DA7405458F91
                                                                      Function 079FD0C0 Relevance: .6, Instructions: 623COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 223bfc57832c49eda0471ba05dd57560188f840dcb0862da6cabf78ada33cb31
                                                                      • Instruction ID: 33f869e8ed363cda112b8823cfde182442cdee6b9d94215b8a8e9b3465bbdf8a
                                                                      • Opcode Fuzzy Hash: 223bfc57832c49eda0471ba05dd57560188f840dcb0862da6cabf78ada33cb31
                                                                      • Instruction Fuzzy Hash: A3329DB1B016059FDB19DB69C564BAEBBFABF89304F144469E206DB3A0CB34ED01CB51
                                                                      Function 079F7FDD Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 326 79f7fdd-79f807d 328 79f807f-79f8089 326->328 329 79f80b6-79f80d6 326->329 328->329 330 79f808b-79f808d 328->330 336 79f810f-79f813e 329->336 337 79f80d8-79f80e2 329->337 331 79f808f-79f8099 330->331 332 79f80b0-79f80b3 330->332 334 79f809d-79f80ac 331->334 335 79f809b 331->335 332->329 334->334 338 79f80ae 334->338 335->334 343 79f8177-79f8231 CreateProcessA 336->343 344 79f8140-79f814a 336->344 337->336 339 79f80e4-79f80e6 337->339 338->332 341 79f8109-79f810c 339->341 342 79f80e8-79f80f2 339->342 341->336 345 79f80f6-79f8105 342->345 346 79f80f4 342->346 357 79f823a-79f82c0 343->357 358 79f8233-79f8239 343->358 344->343 348 79f814c-79f814e 344->348 345->345 347 79f8107 345->347 346->345 347->341 349 79f8171-79f8174 348->349 350 79f8150-79f815a 348->350 349->343 352 79f815e-79f816d 350->352 353 79f815c 350->353 352->352 355 79f816f 352->355 353->352 355->349 368 79f82c2-79f82c6 357->368 369 79f82d0-79f82d4 357->369 358->357 368->369 372 79f82c8 368->372 370 79f82d6-79f82da 369->370 371 79f82e4-79f82e8 369->371 370->371 373 79f82dc 370->373 374 79f82ea-79f82ee 371->374 375 79f82f8-79f82fc 371->375 372->369 373->371 374->375 376 79f82f0 374->376 377 79f830e-79f8315 375->377 378 79f82fe-79f8304 375->378 376->375 379 79f832c 377->379 380 79f8317-79f8326 377->380 378->377 381 79f832d 379->381 380->379 381->381
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079F821E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 5203edd4a13947ae198397dc6e81bbd395eaf8c8da993270aec9f76d32deb7ed
                                                                      • Instruction ID: fd915e5a615e3336d5294d8e350a94508f39ceefc3647b666e738f633dcd2151
                                                                      • Opcode Fuzzy Hash: 5203edd4a13947ae198397dc6e81bbd395eaf8c8da993270aec9f76d32deb7ed
                                                                      • Instruction Fuzzy Hash: 1FA18DB1E0061ACFDB10CF68CC40BEDBBB6BF44314F0481A9E918A7250DB749985CF92
                                                                      Function 079F7FE8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 383 79f7fe8-79f807d 385 79f807f-79f8089 383->385 386 79f80b6-79f80d6 383->386 385->386 387 79f808b-79f808d 385->387 393 79f810f-79f813e 386->393 394 79f80d8-79f80e2 386->394 388 79f808f-79f8099 387->388 389 79f80b0-79f80b3 387->389 391 79f809d-79f80ac 388->391 392 79f809b 388->392 389->386 391->391 395 79f80ae 391->395 392->391 400 79f8177-79f8231 CreateProcessA 393->400 401 79f8140-79f814a 393->401 394->393 396 79f80e4-79f80e6 394->396 395->389 398 79f8109-79f810c 396->398 399 79f80e8-79f80f2 396->399 398->393 402 79f80f6-79f8105 399->402 403 79f80f4 399->403 414 79f823a-79f82c0 400->414 415 79f8233-79f8239 400->415 401->400 405 79f814c-79f814e 401->405 402->402 404 79f8107 402->404 403->402 404->398 406 79f8171-79f8174 405->406 407 79f8150-79f815a 405->407 406->400 409 79f815e-79f816d 407->409 410 79f815c 407->410 409->409 412 79f816f 409->412 410->409 412->406 425 79f82c2-79f82c6 414->425 426 79f82d0-79f82d4 414->426 415->414 425->426 429 79f82c8 425->429 427 79f82d6-79f82da 426->427 428 79f82e4-79f82e8 426->428 427->428 430 79f82dc 427->430 431 79f82ea-79f82ee 428->431 432 79f82f8-79f82fc 428->432 429->426 430->428 431->432 433 79f82f0 431->433 434 79f830e-79f8315 432->434 435 79f82fe-79f8304 432->435 433->432 436 79f832c 434->436 437 79f8317-79f8326 434->437 435->434 438 79f832d 436->438 437->436 438->438
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079F821E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: f875f1932269daf0bfa05e78d6633983a55f445693a198f0ab56a3ea74172502
                                                                      • Instruction ID: f502f707f6a31ccc85c4d0bbfc21f49fe1cd84bbe5ebc84241adc87e44cc15d0
                                                                      • Opcode Fuzzy Hash: f875f1932269daf0bfa05e78d6633983a55f445693a198f0ab56a3ea74172502
                                                                      • Instruction Fuzzy Hash: 6B917CB1E0061ADFDB50CFA8CC40BEDBBB6BF44314F0481A9E918A7250DB759985CF92
                                                                      Function 0559AD08 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 440 559ad08-559ad17 441 559ad19-559ad26 call 559a02c 440->441 442 559ad43-559ad47 440->442 448 559ad28 441->448 449 559ad3c 441->449 444 559ad49-559ad53 442->444 445 559ad5b-559ad9c 442->445 444->445 451 559ada9-559adb7 445->451 452 559ad9e-559ada6 445->452 497 559ad2e call 559af90 448->497 498 559ad2e call 559afa0 448->498 449->442 453 559adb9-559adbe 451->453 454 559addb-559addd 451->454 452->451 456 559adc9 453->456 457 559adc0-559adc7 call 559a038 453->457 459 559ade0-559ade7 454->459 455 559ad34-559ad36 455->449 458 559ae78-559af38 455->458 461 559adcb-559add9 456->461 457->461 490 559af3a-559af3d 458->490 491 559af40-559af6b GetModuleHandleW 458->491 462 559ade9-559adf1 459->462 463 559adf4-559adfb 459->463 461->459 462->463 464 559ae08-559ae11 call 559a048 463->464 465 559adfd-559ae05 463->465 471 559ae1e-559ae23 464->471 472 559ae13-559ae1b 464->472 465->464 473 559ae41-559ae45 471->473 474 559ae25-559ae2c 471->474 472->471 495 559ae48 call 559b290 473->495 496 559ae48 call 559b2a0 473->496 474->473 476 559ae2e-559ae3e call 559a058 call 559a068 474->476 476->473 479 559ae4b-559ae4e 481 559ae71-559ae77 479->481 482 559ae50-559ae6e 479->482 482->481 490->491 492 559af6d-559af73 491->492 493 559af74-559af88 491->493 492->493 495->479 496->479 497->455 498->455
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1762488397.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5590000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 61a73c400418cfa6212bef71479b1f302146b4854e710fad747a619427f2069f
                                                                      • Instruction ID: 51c21b91462138111a55d513b6eb130bec38a33b08a9ee638cf92429c441fd82
                                                                      • Opcode Fuzzy Hash: 61a73c400418cfa6212bef71479b1f302146b4854e710fad747a619427f2069f
                                                                      • Instruction Fuzzy Hash: 33713770A00B058FDB28DF29D14576ABBF5FF88304F00892DD48AD7A54DB78E949CBA1
                                                                      Function 055944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 499 55944b0-55959b9 CreateActCtxA 502 55959bb-55959c1 499->502 503 55959c2-5595a1c 499->503 502->503 510 5595a2b-5595a2f 503->510 511 5595a1e-5595a21 503->511 512 5595a31-5595a3d 510->512 513 5595a40 510->513 511->510 512->513 514 5595a41 513->514 514->514
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 055959A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1762488397.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5590000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 352509a6f8ed58103c04ccdfad7f74d94304b05bb6adc29c39d22fbe48774139
                                                                      • Instruction ID: 4bb6efeb2afebf820ac5bfdb4f6b75cb9265457322aac50e4ad258c31fb6947f
                                                                      • Opcode Fuzzy Hash: 352509a6f8ed58103c04ccdfad7f74d94304b05bb6adc29c39d22fbe48774139
                                                                      • Instruction Fuzzy Hash: 2E41FFB0C0072DCBDB24DFA9C884B9EBBF5BF49304F20846AD408AB251EB756945CF91
                                                                      Function 055958EC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 516 55958ec-55958f4 517 55958fc-55959b9 CreateActCtxA 516->517 519 55959bb-55959c1 517->519 520 55959c2-5595a1c 517->520 519->520 527 5595a2b-5595a2f 520->527 528 5595a1e-5595a21 520->528 529 5595a31-5595a3d 527->529 530 5595a40 527->530 528->527 529->530 531 5595a41 530->531 531->531
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 055959A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1762488397.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5590000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: d22d626b0db83739cf5b66ef891848da168751631d8dd364554878a5dc6a9cb0
                                                                      • Instruction ID: afeccc4351d7270cb6d51a7c8b068b79d9b2e3b67ed27a5097b403b62f82fc54
                                                                      • Opcode Fuzzy Hash: d22d626b0db83739cf5b66ef891848da168751631d8dd364554878a5dc6a9cb0
                                                                      • Instruction Fuzzy Hash: D8410EB0C00629CEDB24CFA9C9847DDBBF5BF49304F24806AD409AB251EB756986CF91
                                                                      Function 079F7D58 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 533 79f7d58-79f7dae 536 79f7dbe-79f7dfd WriteProcessMemory 533->536 537 79f7db0-79f7dbc 533->537 539 79f7dff-79f7e05 536->539 540 79f7e06-79f7e36 536->540 537->536 539->540
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079F7DF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: d930572c19fd01c3b3cbae3bd9290e236d5ffc5c4075a0f6072aadef68a8e408
                                                                      • Instruction ID: a4a23842265e00019c8eea6c0e4cf012c38575a868db51f642da7da04b818d44
                                                                      • Opcode Fuzzy Hash: d930572c19fd01c3b3cbae3bd9290e236d5ffc5c4075a0f6072aadef68a8e408
                                                                      • Instruction Fuzzy Hash: 9B2146B1900359DFCB10DFA9C880BEEBBF5FF48314F50842AE958A7250C7789944CBA5
                                                                      Function 079F7D60 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 544 79f7d60-79f7dae 546 79f7dbe-79f7dfd WriteProcessMemory 544->546 547 79f7db0-79f7dbc 544->547 549 79f7dff-79f7e05 546->549 550 79f7e06-79f7e36 546->550 547->546 549->550
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079F7DF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 6c122294d30f784083a24e492e2a9d96023d2a37277cdb230fa701691e354135
                                                                      • Instruction ID: 0d97436e54276a2f2cf3e7e037966d695ef23aeb64ffc055b71269a05b9a76d4
                                                                      • Opcode Fuzzy Hash: 6c122294d30f784083a24e492e2a9d96023d2a37277cdb230fa701691e354135
                                                                      • Instruction Fuzzy Hash: 1B2139B1900359DFCB10CFA9C885BEEBBF5FF48314F50842AE959A7250C7789944CBA4
                                                                      Function 0559D1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 554 559d1dc-559d684 DuplicateHandle 556 559d68d-559d6aa 554->556 557 559d686-559d68c 554->557 557->556
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0559D5B6,?,?,?,?,?), ref: 0559D677
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1762488397.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5590000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 168c9f767cd53f2c95d503450e0531052f2ca69da51be44a337211c9ed4bf442
                                                                      • Instruction ID: 1c02aef5ced04720a8ca15767721d33ebca612376bcfd4bad3ed97c98f8284ed
                                                                      • Opcode Fuzzy Hash: 168c9f767cd53f2c95d503450e0531052f2ca69da51be44a337211c9ed4bf442
                                                                      • Instruction Fuzzy Hash: B721E3B5900258AFDB10CF9AD984ADEBBF4FB48310F14841AE958A7350D778A950CFA5
                                                                      Function 079F7788 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 560 79f7788-79f77db 563 79f77dd-79f77e9 560->563 564 79f77eb-79f781b Wow64SetThreadContext 560->564 563->564 566 79f781d-79f7823 564->566 567 79f7824-79f7854 564->567 566->567
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079F780E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 7db5787cb2772c34d845c3452f5fa88cfec84d438aaab9d47ae714f0a688a584
                                                                      • Instruction ID: a1a614277c5ca6249be01c94a24bc79f5ea63e927b554a2459e79cf070b5d779
                                                                      • Opcode Fuzzy Hash: 7db5787cb2772c34d845c3452f5fa88cfec84d438aaab9d47ae714f0a688a584
                                                                      • Instruction Fuzzy Hash: C8213AB1D003098FDB10DFAAC4857EEBBF4EF88324F14842AD559A7240DB789944CFA5
                                                                      Function 079F7E48 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 571 79f7e48-79f7edd ReadProcessMemory 575 79f7edf-79f7ee5 571->575 576 79f7ee6-79f7f16 571->576 575->576
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079F7ED0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 81a859f4296483c885ad5ae5b1464291e429d46eb5a8cb289c5e93cd6fae8b49
                                                                      • Instruction ID: 679ef322bd733a6f87011c85b3b4da2535d611dec36080fee6d2e179e4ee9a50
                                                                      • Opcode Fuzzy Hash: 81a859f4296483c885ad5ae5b1464291e429d46eb5a8cb289c5e93cd6fae8b49
                                                                      • Instruction Fuzzy Hash: 1E2107B18002599FCB10DFAAC844BDEBBF5FF48314F10842AE558A7250C7349944CBA5
                                                                      Function 079F7790 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 580 79f7790-79f77db 582 79f77dd-79f77e9 580->582 583 79f77eb-79f781b Wow64SetThreadContext 580->583 582->583 585 79f781d-79f7823 583->585 586 79f7824-79f7854 583->586 585->586
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079F780E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 63dd82e6a8bf9389ede531d12f7c2ba03b858de31a66c42a686c15c8515364a1
                                                                      • Instruction ID: 5286424858d2408dece666d64b106dc0d9475404f664dbb3b858b99af3405d55
                                                                      • Opcode Fuzzy Hash: 63dd82e6a8bf9389ede531d12f7c2ba03b858de31a66c42a686c15c8515364a1
                                                                      • Instruction Fuzzy Hash: 4C2129B1D003098FDB10DFAAC485BEEBBF4EF48324F548429D559A7240DB789945CFA5
                                                                      Function 079F7E50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 590 79f7e50-79f7edd ReadProcessMemory 593 79f7edf-79f7ee5 590->593 594 79f7ee6-79f7f16 590->594 593->594
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079F7ED0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: dbed65ff587bc2913b4ad5a3d38c2946c83b3ccb1f9b8a17a405f12592270850
                                                                      • Instruction ID: 5c2a50f98eb9d3e18c338c48e78e0bdb04eb96ec06cab7d80cd9838f24f081ad
                                                                      • Opcode Fuzzy Hash: dbed65ff587bc2913b4ad5a3d38c2946c83b3ccb1f9b8a17a405f12592270850
                                                                      • Instruction Fuzzy Hash: C02125B18003599FCB10DFAAC880BEEFBF5FF48324F50842AE558A7250C7389944CBA5
                                                                      Function 0559D5E9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 598 559d5e9-559d684 DuplicateHandle 599 559d68d-559d6aa 598->599 600 559d686-559d68c 598->600 600->599
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0559D5B6,?,?,?,?,?), ref: 0559D677
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1762488397.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5590000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 4dec1694e3270f53e0a2d7dd125b23e6dbcc5a3e9933fa857a97649c8fae31f5
                                                                      • Instruction ID: 628e0922ea924b2dca9d99cbe7794cc55e0f43e03ce1196821e18bee1351a35f
                                                                      • Opcode Fuzzy Hash: 4dec1694e3270f53e0a2d7dd125b23e6dbcc5a3e9933fa857a97649c8fae31f5
                                                                      • Instruction Fuzzy Hash: 2421E0B5D00259DFDB10CFAAD984AEEBBF4FB48310F14841AE958B3250D378A940CF64
                                                                      Function 079F7C98 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079F7D0E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 5f354c2f767c4a0bd6d547c05aa7bfac64fce7c99d53cfe9974e54a61336043c
                                                                      • Instruction ID: d2fb1b0a29ea33607284db59f6e9a0301c5a8862d49aa969da00e3baf972c22f
                                                                      • Opcode Fuzzy Hash: 5f354c2f767c4a0bd6d547c05aa7bfac64fce7c99d53cfe9974e54a61336043c
                                                                      • Instruction Fuzzy Hash: 5B115CB29003499FCB10DFA9C8446DEFFF5EF48324F208819D555A7250CB759544CFA1
                                                                      Function 079F7CA0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079F7D0E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 127d7f5db87103887326c4630d3032a426dea676201a7dce25e38649932c53c5
                                                                      • Instruction ID: c42af3b5acc5143f3f07a8f1ad05e4deb9941e3d2276ff4ae2cf7c956f54efd1
                                                                      • Opcode Fuzzy Hash: 127d7f5db87103887326c4630d3032a426dea676201a7dce25e38649932c53c5
                                                                      • Instruction Fuzzy Hash: C4113AB19002499FCB10DFAAC844BDEBFF5EF48324F108819D559A7250C7759544CFA5
                                                                      Function 079F72A0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: ba71bac5f2233201de157140a9dac9010b41ff729698e845c82cf96a53b1161a
                                                                      • Instruction ID: 4610c00ebbcfa0ed606ff3e72b875b5440649e4aeb76c3332f9265e3d502bce6
                                                                      • Opcode Fuzzy Hash: ba71bac5f2233201de157140a9dac9010b41ff729698e845c82cf96a53b1161a
                                                                      • Instruction Fuzzy Hash: F91188B19003098FCB10DFAAC845BDEFBF4EF88324F208829D559A7240CB74A844CFA4
                                                                      Function 0559A02C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0559AD24), ref: 0559AF5E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1762488397.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5590000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 2feb9d6a9e4c9bede491669754275609b5e43acc86381a2e1cae2799e2a5f004
                                                                      • Instruction ID: c296f311cbcd603fb38060199f7044c12045bd530ce61371dadd38cc42a01a3e
                                                                      • Opcode Fuzzy Hash: 2feb9d6a9e4c9bede491669754275609b5e43acc86381a2e1cae2799e2a5f004
                                                                      • Instruction Fuzzy Hash: A21102B6C047498FCB14CF9AC444ADEFBF4FB88214F14846AD459B7210D779A545CFA1
                                                                      Function 079F72A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 3697d8ebd5c087cd1c92f92bb799c8ca55c5121d570ff6cd3dcc93255a8be0ab
                                                                      • Instruction ID: 5891ab27583ff2883ada41cba4315a7d7280cfb5ae79d4a2ac480e626bf6b30d
                                                                      • Opcode Fuzzy Hash: 3697d8ebd5c087cd1c92f92bb799c8ca55c5121d570ff6cd3dcc93255a8be0ab
                                                                      • Instruction Fuzzy Hash: 261136B19003498FCB20DFAAC8457DEFBF4EF88324F208429D559A7250CB75A944CFA5
                                                                      Function 079FC398 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 079FC3FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: ec4041e62a78053807e66f5b0e56adfc467ec82db9ff83115ae3f7534a09cb76
                                                                      • Instruction ID: 087a9aad44c527b89ae6ef19045f538100c6825279292ce07c852dbc203d9d19
                                                                      • Opcode Fuzzy Hash: ec4041e62a78053807e66f5b0e56adfc467ec82db9ff83115ae3f7534a09cb76
                                                                      • Instruction Fuzzy Hash: FC1103B58003499FDB10DF9AD885BDEBFF8EB49324F10841AE958B7240C775A984CFA5
                                                                      Function 079F4A30 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 079FC3FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 26e1867cae86a9a8e6b80568e39ab14cb38f2a58926caff41de43ddef2cb8af6
                                                                      • Instruction ID: a205d7d70d01052b0ccd2139706ca87ebc87eca0c257279cb3958714058b80bd
                                                                      • Opcode Fuzzy Hash: 26e1867cae86a9a8e6b80568e39ab14cb38f2a58926caff41de43ddef2cb8af6
                                                                      • Instruction Fuzzy Hash: F81103B5804349DFCB10DF9AC884BDEBBF8EB49324F108419E959B7250C3B5A944CFA5
                                                                      Function 0131D3D8 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748289660.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_131d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f19de0e000b083188212828c251a743f5cd587466c96d45c9a37b73cf01c0688
                                                                      • Instruction ID: 0f2016f368fd7aacb8382411ebbd3b143eae3f0a518edd87f6295674c13b5260
                                                                      • Opcode Fuzzy Hash: f19de0e000b083188212828c251a743f5cd587466c96d45c9a37b73cf01c0688
                                                                      • Instruction Fuzzy Hash: A6214871140204DFDB09DF48D9C8B57BF65FB88318F20C569E90A1B25ACB36E446C7A1
                                                                      Function 0131D4C4 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748289660.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_131d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7db2e4e5460300951ca7c76898b8f89a9f23ea36c94bf23e27b6f894ec601c51
                                                                      • Instruction ID: 3abc0cb620f931c8df5c2c0a5813b28183134611c28b79ef59b601b47085b72c
                                                                      • Opcode Fuzzy Hash: 7db2e4e5460300951ca7c76898b8f89a9f23ea36c94bf23e27b6f894ec601c51
                                                                      • Instruction Fuzzy Hash: 8E212271500244DFDB09DF58D9C8B2BBFA5FB8831CF20C569E9090B25AC336D456CAA2
                                                                      Function 0132D1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748971623.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_132d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 25ebd96f327da1b43bff17e0a5829bca6a7f3bc8c24677006f999e3e093e0c09
                                                                      • Instruction ID: 7c71793815bbfb3edae428a9294099b0696456fbb64c761604d70930fb1be6c3
                                                                      • Opcode Fuzzy Hash: 25ebd96f327da1b43bff17e0a5829bca6a7f3bc8c24677006f999e3e093e0c09
                                                                      • Instruction Fuzzy Hash: 8A212671504304EFDB05EF98D9C4B26BBA5FB85328F20C66DE9094B356C336D446CA61
                                                                      Function 0132D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748971623.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_132d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bb705cdcbb79cf56d3bc0b69dc8e8ed67df754192563a5875275943f8e530a8d
                                                                      • Instruction ID: a64b03eea1e92e92ce01722ed0e8a4d8cf048fa3cda8daff90893fb34399b75d
                                                                      • Opcode Fuzzy Hash: bb705cdcbb79cf56d3bc0b69dc8e8ed67df754192563a5875275943f8e530a8d
                                                                      • Instruction Fuzzy Hash: 11213471604244DFCB15EF58D9C4B26BFA5FB84318F20C56DD90A4B3A6C33AD447CAA1
                                                                      Function 0132D006 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748971623.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_132d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4c120fd9e637aa4fb1dbfa551a092fd91d15b0dbeb9a2d237d232fbc8eedff0f
                                                                      • Instruction ID: eab9e6af0b08da1304d235bc731fe1c2a6d2039b2a3786e85e0a82558932054b
                                                                      • Opcode Fuzzy Hash: 4c120fd9e637aa4fb1dbfa551a092fd91d15b0dbeb9a2d237d232fbc8eedff0f
                                                                      • Instruction Fuzzy Hash: 4B2180755083809FCB03DF64D994711BF71EB46218F28C5DAD8498F2A7C33A981ACB62
                                                                      Function 0131D4BF Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748289660.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_131d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction ID: 4bd6935678345c6ac8322ace779eb2d876f34e7160ca5baf1b20250dceabdd8b
                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction Fuzzy Hash: 0611D376504280CFDB16CF54D5C4B16BF71FB84318F24C6A9D9490B65BC336D45ACBA1
                                                                      Function 0131D3D3 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748289660.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_131d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction ID: 4aa784655cd1472316e411c3f2bd1d310cb85a6e2183a690d5da8d94fff08dcb
                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction Fuzzy Hash: B4110372444240CFDB16CF44D5C4B56BF71FB94328F24C6A9D9090B25BC73AE45ACBA1
                                                                      Function 0132D1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748971623.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_132d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction ID: 98fa446b88f8e831432d224b6915b2de0e2477f00e027e81e7d4c9572dbee78e
                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction Fuzzy Hash: 6C11BB75504380DFDB02DF54D5C4B15BFB1FB85228F24C6AAD8494B296C33AD40ACB61
                                                                      Function 0131D759 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748289660.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_131d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c045bc7a97e2dc857792d220a3a0825f57459e673dd37cb33036cda4a22642dc
                                                                      • Instruction ID: 6f021047e622dc947fb02fbc0aa5619d9af25a15295f09939d4a492d7fb8a7ab
                                                                      • Opcode Fuzzy Hash: c045bc7a97e2dc857792d220a3a0825f57459e673dd37cb33036cda4a22642dc
                                                                      • Instruction Fuzzy Hash: F301DB710083849AE7154EA9DD88767FFDCEF42328F18C92AED095A28EC779D840C671
                                                                      Function 0131D758 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1748289660.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_131d000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b8f204ef7e654b0a584af6f2d661d23fa3f396d96f7255d81f87d1678bd58f1e
                                                                      • Instruction ID: 1b773016e0cbab9ed2a561c0d5e57cbc7dadba043279dee193d15a3346c58f31
                                                                      • Opcode Fuzzy Hash: b8f204ef7e654b0a584af6f2d661d23fa3f396d96f7255d81f87d1678bd58f1e
                                                                      • Instruction Fuzzy Hash: EBF068714043449EE7158E5ADD88762FFA8EF51625F18C45AED085B28AC2759844CA71

                                                                      Non-executed Functions

                                                                      Function 079F53A8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: &9x,
                                                                      • API String ID: 0-1520004860
                                                                      • Opcode ID: ddf1b880584d441a837bc184cfd6a7f8f6417dee0f93e963e289f497d1cf6584
                                                                      • Instruction ID: 0f7628bbdfa9c847c64b5317a2a51a5ae7dcf08bd6eb2ca2470f402c79c837c6
                                                                      • Opcode Fuzzy Hash: ddf1b880584d441a837bc184cfd6a7f8f6417dee0f93e963e289f497d1cf6584
                                                                      • Instruction Fuzzy Hash: A7E1EAB4E102198FCB14DFA9C5809AEBBF6FF49314F248159E514AB356DB31AD81CF60
                                                                      Function 079F539B Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: &9x,
                                                                      • API String ID: 0-1520004860
                                                                      • Opcode ID: 5cf2f13541bbb50c2981e09673e38d57cba61b97a516f5d44a5fbb4f628fc652
                                                                      • Instruction ID: 3469f50dd7528f58d34d029af0a05a8295266439c172adccdf1674862f734d68
                                                                      • Opcode Fuzzy Hash: 5cf2f13541bbb50c2981e09673e38d57cba61b97a516f5d44a5fbb4f628fc652
                                                                      • Instruction Fuzzy Hash: 9E512BB4E1021A8BCB14DFA9C5805AEFBF6FF89304F24C169D418AB356D7309941CFA1
                                                                      Function 079F57E0 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0de6d93bffea5a1b9436f1c662477c5cb366c361267bc64fdaee66fabde592e
                                                                      • Instruction ID: 04b89404986b1d62d5dd511e6f8332a08498870e01cd69db5b1bc3cbb51036c7
                                                                      • Opcode Fuzzy Hash: b0de6d93bffea5a1b9436f1c662477c5cb366c361267bc64fdaee66fabde592e
                                                                      • Instruction Fuzzy Hash: F4E1F8B4E1021A8FCB14DF99C5809AEFBF6FF89315F248169D514AB356DB30A981CF60
                                                                      Function 079F7358 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 67b22680f7663f6a596fbbf03727bbd0d4d36a4e125c017c65cc9bd2bd5b673e
                                                                      • Instruction ID: 62a90db13f323483699fe35cf4d87bcf35c852952956e3cd2617216195af9e61
                                                                      • Opcode Fuzzy Hash: 67b22680f7663f6a596fbbf03727bbd0d4d36a4e125c017c65cc9bd2bd5b673e
                                                                      • Instruction Fuzzy Hash: 67E1E9B4E1021A8FCB14DFA9C5809AEBBF6FF89304F248159D514AB355DB30AD81CF61
                                                                      Function 079F5C18 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4ad379905e8b542dd43b1ad79a6e5b80a93d4a9780069c0680b65fdbdeee45e0
                                                                      • Instruction ID: 2bafb1fdb8c813c0496237a9ade5679620a3857b185b05f1d482e2061aed1d6e
                                                                      • Opcode Fuzzy Hash: 4ad379905e8b542dd43b1ad79a6e5b80a93d4a9780069c0680b65fdbdeee45e0
                                                                      • Instruction Fuzzy Hash: 4BE1F9B4E102198FCB14DFA9C5809AEBBF6FF89314F248159D514AB356DB31AD81CF60
                                                                      Function 079F7868 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1765231699.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_79f0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2e875744af5be50e161b54203b2f84c4b01f2ff7977c2a0e0cd071fe9b915a79
                                                                      • Instruction ID: 055556535679d4eefd4a390aa227fb8e5adb497524447f9f02c844d34e895bd7
                                                                      • Opcode Fuzzy Hash: 2e875744af5be50e161b54203b2f84c4b01f2ff7977c2a0e0cd071fe9b915a79
                                                                      • Instruction Fuzzy Hash: F1E1E9B4E1021A8FCB14DFA9C5809AEBBF6FF89314F248169D514AB355DB31AD81CF60
                                                                      Function 0559D51C Relevance: .3, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1762488397.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5590000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d4a8088906f156d5a01f828e857b3127dea5e4a89dc7aa80c54ec96dfc520e9
                                                                      • Instruction ID: 32acfb5f46cee295a3dbbbe50f10a3f384a1443e222640b70b6835a4af69816f
                                                                      • Opcode Fuzzy Hash: 4d4a8088906f156d5a01f828e857b3127dea5e4a89dc7aa80c54ec96dfc520e9
                                                                      • Instruction Fuzzy Hash: A3A15136E1020A8FCF0ADFB4C88459EB7B2FF85300B15856AE906EB265DB75D955CF80

                                                                      Execution Graph

                                                                      Execution Coverage:0.8%
                                                                      Dynamic/Decrypted Code Coverage:5.2%
                                                                      Signature Coverage:9.3%
                                                                      Total number of Nodes:97
                                                                      Total number of Limit Nodes:8
                                                                      execution_graph 94874 42bd03 94875 42bd1d 94874->94875 94878 1622df0 LdrInitializeThunk 94875->94878 94876 42bd45 94878->94876 94951 42f993 94952 42f903 94951->94952 94953 42f960 94952->94953 94957 42e8a3 94952->94957 94955 42f93d 94956 42e7c3 RtlFreeHeap 94955->94956 94956->94953 94960 42ca33 94957->94960 94959 42e8be 94959->94955 94961 42ca50 94960->94961 94962 42ca61 RtlAllocateHeap 94961->94962 94962->94959 94963 4249e3 94964 4249ff 94963->94964 94965 424a27 94964->94965 94966 424a3b 94964->94966 94967 42c713 NtClose 94965->94967 94968 42c713 NtClose 94966->94968 94969 424a30 94967->94969 94970 424a44 94968->94970 94973 42e8e3 RtlAllocateHeap 94970->94973 94972 424a4f 94973->94972 94974 42f863 94975 42f873 94974->94975 94976 42f879 94974->94976 94977 42e8a3 RtlAllocateHeap 94976->94977 94978 42f89f 94977->94978 94994 424d73 94995 424d8c 94994->94995 94996 424dd7 94995->94996 94999 424e1a 94995->94999 95001 424e1f 94995->95001 94997 42e7c3 RtlFreeHeap 94996->94997 94998 424de7 94997->94998 95000 42e7c3 RtlFreeHeap 94999->95000 95000->95001 94984 4178e3 94985 417907 94984->94985 94986 41790e 94985->94986 94987 417943 LdrLoadDll 94985->94987 94987->94986 94988 413d63 94992 413d83 94988->94992 94990 413de2 94991 413dec 94992->94991 94993 41b513 RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 94992->94993 94993->94990 94879 401a45 94880 401a51 94879->94880 94883 42fd33 94880->94883 94886 42e383 94883->94886 94887 42e3a9 94886->94887 94896 407453 94887->94896 94889 42e3bf 94895 401aa9 94889->94895 94899 41b203 94889->94899 94891 42e3de 94892 42e3f3 94891->94892 94893 42cad3 ExitProcess 94891->94893 94910 42cad3 94892->94910 94893->94892 94913 416593 94896->94913 94898 407460 94898->94889 94900 41b22f 94899->94900 94937 41b0f3 94900->94937 94903 41b274 94906 41b290 94903->94906 94908 42c713 NtClose 94903->94908 94904 41b25c 94905 41b267 94904->94905 94943 42c713 94904->94943 94905->94891 94906->94891 94909 41b286 94908->94909 94909->94891 94911 42caf0 94910->94911 94912 42cb01 ExitProcess 94911->94912 94912->94895 94914 4165ad 94913->94914 94916 4165c6 94914->94916 94917 42d183 94914->94917 94916->94898 94919 42d19d 94917->94919 94918 42d1cc 94918->94916 94919->94918 94924 42bd53 94919->94924 94925 42bd70 94924->94925 94931 1622c0a 94925->94931 94926 42bd9c 94928 42e7c3 94926->94928 94934 42ca83 94928->94934 94930 42d242 94930->94916 94932 1622c11 94931->94932 94933 1622c1f LdrInitializeThunk 94931->94933 94932->94926 94933->94926 94935 42ca9d 94934->94935 94936 42caae RtlFreeHeap 94935->94936 94936->94930 94938 41b1e9 94937->94938 94939 41b10d 94937->94939 94938->94903 94938->94904 94946 42bdf3 94939->94946 94942 42c713 NtClose 94942->94938 94944 42c730 94943->94944 94945 42c741 NtClose 94944->94945 94945->94905 94947 42be0d 94946->94947 94950 16235c0 LdrInitializeThunk 94947->94950 94948 41b1dd 94948->94942 94950->94948

                                                                      Executed Functions

                                                                      Function 004178E3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417955
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_400000_Payment Advice D 0024679526 3930.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID:
                                                                      • API String ID: 2234796835-0
                                                                      • Opcode ID: b693ed89f4e9785a237846af1f345434269f374b70b3ff8db407c0a2a3d3851e
                                                                      • Instruction ID: b1debd7875aa39e42b6ba1488dcb691615432184dc90df6611ff2312ace15cfe
                                                                      • Opcode Fuzzy Hash: b693ed89f4e9785a237846af1f345434269f374b70b3ff8db407c0a2a3d3851e
                                                                      • Instruction Fuzzy Hash: 840112B5E1020DA7DB10DAA5DC42FDEB7789B54308F4041A6E90897241F635EB588B95
                                                                      Function 0042C713 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 25 42c713-42c74f call 404733 call 42d963 NtClose
                                                                      APIs
                                                                      • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C74A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_400000_Payment Advice D 0024679526 3930.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID:
                                                                      • API String ID: 3535843008-0
                                                                      • Opcode ID: ff58566f2d9fa89099de2cc9a3efd2b5a34b90fd3400549af8a1988bb226be77
                                                                      • Instruction ID: 74cb8e24429c7127855f75ede90c996c18a48c010ae6dde299821f37cfa2d592
                                                                      • Opcode Fuzzy Hash: ff58566f2d9fa89099de2cc9a3efd2b5a34b90fd3400549af8a1988bb226be77
                                                                      • Instruction Fuzzy Hash: A2E086762002147FD620EA5ADC41FDB775CDFC5714F00402AFA8877181C675791487F5
                                                                      Function 01622DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 40 1622df0-1622dfc LdrInitializeThunk
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 7c851b553deff2e51e687cfeb96a88923f544fd0e06972dd9bcb4ebfab49ed86
                                                                      • Instruction ID: 49bc0e817323dcb92121d463c592645275d51ac61b7b22abb9bbe65dbf089442
                                                                      • Opcode Fuzzy Hash: 7c851b553deff2e51e687cfeb96a88923f544fd0e06972dd9bcb4ebfab49ed86
                                                                      • Instruction Fuzzy Hash: 2090023160140413D11175584904747001D97D0241F95C512B4428658ED6568A53B221
                                                                      Function 01622C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 1622c70-1622c7c LdrInitializeThunk
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: d5455b5eb3dbf81eda3393412918eb38faed49a39e2ab225edd05a96683f64d9
                                                                      • Instruction ID: a5faf4f3e1ada70566cc8fd050fd4045ae70dadfc26c755d57589f6cf05efb5e
                                                                      • Opcode Fuzzy Hash: d5455b5eb3dbf81eda3393412918eb38faed49a39e2ab225edd05a96683f64d9
                                                                      • Instruction Fuzzy Hash: 2E90023160148802D1107558880478B001997D0301F59C511B8428758EC69589927221
                                                                      Function 016235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 41 16235c0-16235cc LdrInitializeThunk
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: b390988428a2ba8ea373c9417743876ba929bddfb09a57d115ea201bfda7e2cd
                                                                      • Instruction ID: 6b0abfa080f58805b4afb7f003ea9affff3d96b21fa665befba6a9d8f8c98f6a
                                                                      • Opcode Fuzzy Hash: b390988428a2ba8ea373c9417743876ba929bddfb09a57d115ea201bfda7e2cd
                                                                      • Instruction Fuzzy Hash: 9A900231A0550402D10075584914747101997D0201F65C511B4428668EC7958A5276A2
                                                                      Function 0042CA83 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 42ca83-42cac4 call 404733 call 42d963 RtlFreeHeap
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CABF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_400000_Payment Advice D 0024679526 3930.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID: !fA
                                                                      • API String ID: 3298025750-4105324770
                                                                      • Opcode ID: 3f71c8c9f87e6b8285d4c5ad0f58e99df957fb1716898f095b35ca35d33033ff
                                                                      • Instruction ID: 1e4aba11d5c0ccdbf7a67024826715e9db936d78db8835abece5e02299c29402
                                                                      • Opcode Fuzzy Hash: 3f71c8c9f87e6b8285d4c5ad0f58e99df957fb1716898f095b35ca35d33033ff
                                                                      • Instruction Fuzzy Hash: 6AE06DB62042047BD714EE59DC41EAB37ACEFC5714F000019FA08A7241D670B9108BB4
                                                                      Function 0042CA33 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 20 42ca33-42ca77 call 404733 call 42d963 RtlAllocateHeap
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(?,0041E694,?,?,00000000,?,0041E694,?,?,?), ref: 0042CA72
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_400000_Payment Advice D 0024679526 3930.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: 827ad30f3f0474cac9348308e8d2ce981deded8197616a5ffcdebe9d0b8923f8
                                                                      • Instruction ID: 1f729a9eb2238079f11578e9ee1fe9b2e85e8e01a775daacb08f3c7869812e9d
                                                                      • Opcode Fuzzy Hash: 827ad30f3f0474cac9348308e8d2ce981deded8197616a5ffcdebe9d0b8923f8
                                                                      • Instruction Fuzzy Hash: 33E065B2204204BBE714EF59EC81FAB37ACEFC9710F004119FA08A7242C670B9108BB8
                                                                      Function 0042CAD3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 30 42cad3-42cb0f call 404733 call 42d963 ExitProcess
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_400000_Payment Advice D 0024679526 3930.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID:
                                                                      • API String ID: 621844428-0
                                                                      • Opcode ID: cb0ccc95c75b4fe4c600b8398c292feadcb32f9aaa21b0e37cd4cd8865bbb369
                                                                      • Instruction ID: 321f1c1e9d56fc412e46f5e1dc841546a89ae2c1970867f909047b56a3235263
                                                                      • Opcode Fuzzy Hash: cb0ccc95c75b4fe4c600b8398c292feadcb32f9aaa21b0e37cd4cd8865bbb369
                                                                      • Instruction Fuzzy Hash: 41E04F712006147BC220EA5ADC41F9B775CDFC5724F004029FB18A7141DA70B90087F5
                                                                      Function 01622C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 35 1622c0a-1622c0f 36 1622c11-1622c18 35->36 37 1622c1f-1622c26 LdrInitializeThunk 35->37
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 5757b8eeb315fced8404229affb36b42493b773890ecf5f22d5d392d1da97638
                                                                      • Instruction ID: 0ecff2aca33659c0c3924ebc81bfa6ca81043a41d1ddbae41014f68c756c0c9a
                                                                      • Opcode Fuzzy Hash: 5757b8eeb315fced8404229affb36b42493b773890ecf5f22d5d392d1da97638
                                                                      • Instruction Fuzzy Hash: B4B09B71D019D5C5DA51E7644E08717791477D0701F15C165E2034751F4738C1D1F675

                                                                      Non-executed Functions

                                                                      Function 01662349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                      • API String ID: 0-2160512332
                                                                      • Opcode ID: f623e7b58054c7931f14334ff8ce8173543e31d0e1c54f1e7de31f2169a125d7
                                                                      • Instruction ID: 8250cbb38c769c1152cab639821971c4973feb0ac4e95b2fb097ee145ada4182
                                                                      • Opcode Fuzzy Hash: f623e7b58054c7931f14334ff8ce8173543e31d0e1c54f1e7de31f2169a125d7
                                                                      • Instruction Fuzzy Hash: 8A928C71604342AFE721CE29CC90B6BBBE9BB84754F04492DFA95DB390D770E844CB92
                                                                      Function 01618620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Address of the debug info found in the active list., xrefs: 016554AE, 016554FA
                                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016554E2
                                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0165540A, 01655496, 01655519
                                                                      • Thread identifier, xrefs: 0165553A
                                                                      • Critical section debug info address, xrefs: 0165541F, 0165552E
                                                                      • Critical section address, xrefs: 01655425, 016554BC, 01655534
                                                                      • undeleted critical section in freed memory, xrefs: 0165542B
                                                                      • Invalid debug info address of this critical section, xrefs: 016554B6
                                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016554CE
                                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 01655543
                                                                      • corrupted critical section, xrefs: 016554C2
                                                                      • double initialized or corrupted critical section, xrefs: 01655508
                                                                      • 8, xrefs: 016552E3
                                                                      • Critical section address., xrefs: 01655502
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                      • API String ID: 0-2368682639
                                                                      • Opcode ID: 8b115cffb62d07f2c5d525b77cd8486c02ea06894ff97e578f5f24c8dc5b1445
                                                                      • Instruction ID: 454d64714f95e5f71af499e13c1519b3a594014a5269c1a2a38d60f41322fcb8
                                                                      • Opcode Fuzzy Hash: 8b115cffb62d07f2c5d525b77cd8486c02ea06894ff97e578f5f24c8dc5b1445
                                                                      • Instruction Fuzzy Hash: 2681ACB0A01359EFDB60CF99CC44BAEBBB9BB49B04F14411DF905BB241D3B5A941CB90
                                                                      Function 016129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016524C0
                                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01652412
                                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01652624
                                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01652602
                                                                      • @, xrefs: 0165259B
                                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 0165261F
                                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01652409
                                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016522E4
                                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01652506
                                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01652498
                                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016525EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                      • API String ID: 0-4009184096
                                                                      • Opcode ID: 6ab01f1485abc08f47b2e41210f71233f26d810d12aad5a2dbf0499d5e01d59f
                                                                      • Instruction ID: a1b577d40bf9a0c7e8848069b1837d2e9816e8248e3a0c96246fe22db5828813
                                                                      • Opcode Fuzzy Hash: 6ab01f1485abc08f47b2e41210f71233f26d810d12aad5a2dbf0499d5e01d59f
                                                                      • Instruction Fuzzy Hash: 96027FB1D002299FDB61DB54CC90BAAB7B8AF54704F0441DEEB09A7241EB309F85CF69
                                                                      Function 01688B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                      • API String ID: 0-2515994595
                                                                      • Opcode ID: a8f6e4955231c5bb919c2256db4354d3ab3c98f3c83a13636d7f644309d2a5d2
                                                                      • Instruction ID: e83fe953a741d2efeab6acb9013e249581b863a8105e2283392a1255f259c584
                                                                      • Opcode Fuzzy Hash: a8f6e4955231c5bb919c2256db4354d3ab3c98f3c83a13636d7f644309d2a5d2
                                                                      • Instruction Fuzzy Hash: 3E519D725053119BD329EF188C84BABBBECBFD8350F544A1DF99987285E770D604CB92
                                                                      Function 01690274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                      • API String ID: 0-1700792311
                                                                      • Opcode ID: 959e306c4a6cfe6e6837945b16bb2ac65d9afd3183ddedea40888b7c438de3f5
                                                                      • Instruction ID: c4b3bd2116989e9ad52b71eea702bb38d4bcaf7b79733777156fd5a1a7cbf69e
                                                                      • Opcode Fuzzy Hash: 959e306c4a6cfe6e6837945b16bb2ac65d9afd3183ddedea40888b7c438de3f5
                                                                      • Instruction Fuzzy Hash: 66D1CA31A01686EFDF22DF68CC40AA9BBFAFF8A710F098059F5459B752C7349981CB54
                                                                      Function 016689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • VerifierFlags, xrefs: 01668C50
                                                                      • VerifierDebug, xrefs: 01668CA5
                                                                      • HandleTraces, xrefs: 01668C8F
                                                                      • AVRF: -*- final list of providers -*- , xrefs: 01668B8F
                                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01668A67
                                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01668A3D
                                                                      • VerifierDlls, xrefs: 01668CBD
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                      • API String ID: 0-3223716464
                                                                      • Opcode ID: 79b456a7ddb808fe14796886c04ce8a0b469b9bb0797537d2d69a819b2edc738
                                                                      • Instruction ID: 9a191cfd6b33865fabc173689e91e6ea376de7681248115970e6758456dd1158
                                                                      • Opcode Fuzzy Hash: 79b456a7ddb808fe14796886c04ce8a0b469b9bb0797537d2d69a819b2edc738
                                                                      • Instruction Fuzzy Hash: 5A911272A42712AFD721EF78CC90B5A7BADBBA4B14F04445CFA426F644C770AC05CBA5
                                                                      Function 015EEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                      • API String ID: 0-1109411897
                                                                      • Opcode ID: 493aec505ef7f5ddff60759fe4f2959b72b5db4cb8fb81cc509ba40c057b2781
                                                                      • Instruction ID: e1570e4b1b38af83355ac08c4343769a63b04cbbb0fea3819e650a01940e5f0c
                                                                      • Opcode Fuzzy Hash: 493aec505ef7f5ddff60759fe4f2959b72b5db4cb8fb81cc509ba40c057b2781
                                                                      • Instruction Fuzzy Hash: 7DA21774E0562A8FDB68DF19CD997A9BBF5FB45304F1442EAD909AB250DB309E81CF00
                                                                      Function 016163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                      • API String ID: 0-792281065
                                                                      • Opcode ID: a5e45dff091d42f2fe938a5c01c6ef200fc754fb9ab1d7748ee4ce50856f5548
                                                                      • Instruction ID: f6759c52eadf8bf71668481b3d0e03ae160183f7ae6b11b42aeec441e631e1ef
                                                                      • Opcode Fuzzy Hash: a5e45dff091d42f2fe938a5c01c6ef200fc754fb9ab1d7748ee4ce50856f5548
                                                                      • Instruction Fuzzy Hash: 40916871F423229BDB35DF58DC44BAA7BB2BB40B14F04805CED016B785EBB09842C795
                                                                      Function 015D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • LdrpInitShimEngine, xrefs: 016399F4, 01639A07, 01639A30
                                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01639A01
                                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016399ED
                                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01639A2A
                                                                      • apphelp.dll, xrefs: 015D6496
                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01639A11, 01639A3A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                      • API String ID: 0-204845295
                                                                      • Opcode ID: d33a29ec0cec05846ff88988d4f60a0f698e758c63caa908caba00d1e273be83
                                                                      • Instruction ID: 95244aafa106e526f599f11b4cf6bf9fc19376d0b1f66b123f4ac5ccbe7b9614
                                                                      • Opcode Fuzzy Hash: d33a29ec0cec05846ff88988d4f60a0f698e758c63caa908caba00d1e273be83
                                                                      • Instruction Fuzzy Hash: 095190716083059FE724DF68CC81BAB77E5FBC4748F40091DE9859B250DBB0E946CB96
                                                                      Function 01612674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • SXS: %s() passed the empty activation context, xrefs: 01652165
                                                                      • RtlGetAssemblyStorageRoot, xrefs: 01652160, 0165219A, 016521BA
                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016521BF
                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01652180
                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01652178
                                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0165219F
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                      • API String ID: 0-861424205
                                                                      • Opcode ID: 20b9020f5b2118b4a209046d268d4a3988a951930a84623958d8e76456222be4
                                                                      • Instruction ID: f13187491160a52cad81ed6a0e8af6d00ec1a6c432fa03fcce4a3af2d3ea0746
                                                                      • Opcode Fuzzy Hash: 20b9020f5b2118b4a209046d268d4a3988a951930a84623958d8e76456222be4
                                                                      • Instruction Fuzzy Hash: 78310636A40215ABE7218EDADCA1F6B7A69EB54E50F19405DBB046B244D7709A01CBA0
                                                                      Function 0161C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 016581E5
                                                                      • LdrpInitializeImportRedirection, xrefs: 01658177, 016581EB
                                                                      • Loading import redirection DLL: '%wZ', xrefs: 01658170
                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01658181, 016581F5
                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0161C6C3
                                                                      • LdrpInitializeProcess, xrefs: 0161C6C4
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                      • API String ID: 0-475462383
                                                                      • Opcode ID: 44b46bad466ec5bca7416a29cee32d8d59a99486ba89e24fb4dc29c140655364
                                                                      • Instruction ID: 0f1cd5012fefb30ae273b6568c9275a35de051e3755afce5dbb2649db9fe4dab
                                                                      • Opcode Fuzzy Hash: 44b46bad466ec5bca7416a29cee32d8d59a99486ba89e24fb4dc29c140655364
                                                                      • Instruction Fuzzy Hash: 153104716447169FC324EF69DC45E2A77A5BF94B10F05095CFD806B391E720EC04C7A6
                                                                      Function 0162096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 01622DF0: LdrInitializeThunk.NTDLL ref: 01622DFA
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01620BA3
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01620BB6
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01620D60
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01620D74
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 1404860816-0
                                                                      • Opcode ID: 0024e2b11792d85b938444472787c45bfac417f1b839533ed49c7dc6b2a9384c
                                                                      • Instruction ID: 12d020c000f2aeb2d810c074dcc9be137e94660894c7980ff08151b4274819b7
                                                                      • Opcode Fuzzy Hash: 0024e2b11792d85b938444472787c45bfac417f1b839533ed49c7dc6b2a9384c
                                                                      • Instruction Fuzzy Hash: 2F425A75900715DFDB61CF28CC80BAAB7F5BF44314F1485AAE989EB241E770AA85CF60
                                                                      Function 015EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                      • API String ID: 0-379654539
                                                                      • Opcode ID: acd383981b6ba11aa9249a8402a66efd36ce335b7d0efb09cbc8b63907687da4
                                                                      • Instruction ID: 02c16db7e1591eafc466b29371b784da04c24253f1a0af0d9679e541811b151e
                                                                      • Opcode Fuzzy Hash: acd383981b6ba11aa9249a8402a66efd36ce335b7d0efb09cbc8b63907687da4
                                                                      • Instruction Fuzzy Hash: 38C18A75908382CFD729CF68C448B6AB7E4BF84704F04886EF9958F251E774C949CB66
                                                                      Function 01618402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0161855E
                                                                      • @, xrefs: 01618591
                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01618421
                                                                      • LdrpInitializeProcess, xrefs: 01618422
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                      • API String ID: 0-1918872054
                                                                      • Opcode ID: f7a2306e64640d35f3d408d1afa5e18f91a27714224af6778cea4fe35e472ea9
                                                                      • Instruction ID: 18eef4eafa4815632d2794f6c73015e160d155ca0d56c8c7977d9baedba398aa
                                                                      • Opcode Fuzzy Hash: f7a2306e64640d35f3d408d1afa5e18f91a27714224af6778cea4fe35e472ea9
                                                                      • Instruction Fuzzy Hash: D891B971508342AFD761DF25CC90FABBAECFF84684F44092EFA8596154E730D904CB62
                                                                      Function 0161273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016522B6
                                                                      • SXS: %s() passed the empty activation context, xrefs: 016521DE
                                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016521D9, 016522B1
                                                                      • .Local, xrefs: 016128D8
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                      • API String ID: 0-1239276146
                                                                      • Opcode ID: bca73249ae3a099f5975f5b105afd04cb1219b2751b18c4603066ff26ad9e142
                                                                      • Instruction ID: e332e39a667280ff09de4201a588cb9cf855a72bd568cc637471dd655ebbe531
                                                                      • Opcode Fuzzy Hash: bca73249ae3a099f5975f5b105afd04cb1219b2751b18c4603066ff26ad9e142
                                                                      • Instruction Fuzzy Hash: 59A1BA3590022ADBDB24CF69CCA4BA9B7B1BF58354F2945EDD908AB355D7309E81CF80
                                                                      Function 01614AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01653437
                                                                      • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01653456
                                                                      • RtlDeactivateActivationContext, xrefs: 01653425, 01653432, 01653451
                                                                      • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0165342A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                      • API String ID: 0-1245972979
                                                                      • Opcode ID: edd0b447249855132fc5164c6a902fabf26762873d904816b96f044d32582cd3
                                                                      • Instruction ID: 378b8359b8d445c78af1065744d7d8fa5cd27528e8daedee902c22c616b62f23
                                                                      • Opcode Fuzzy Hash: edd0b447249855132fc5164c6a902fabf26762873d904816b96f044d32582cd3
                                                                      • Instruction Fuzzy Hash: 43610E32651B129FD7228F1DCC81B2ABBE5BF80B90F19852DE9559F344DB30E802CB95
                                                                      Function 015E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016410AE
                                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0164106B
                                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01640FE5
                                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01641028
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                      • API String ID: 0-1468400865
                                                                      • Opcode ID: ad2b38ee37c8d7cb82d567a7cc6a6320750d826d6915d6b37969d433920ce9d2
                                                                      • Instruction ID: 6a772b670b05456560a067584e37ad22e6fa896398638f3c19d54007ed03e5f9
                                                                      • Opcode Fuzzy Hash: ad2b38ee37c8d7cb82d567a7cc6a6320750d826d6915d6b37969d433920ce9d2
                                                                      • Instruction Fuzzy Hash: DA71AEB1A043159FCB21DF18CC88B9B7BE9AFA57A4F50086DF9488B246D734D588CF91
                                                                      Function 0160245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0164A992
                                                                      • LdrpDynamicShimModule, xrefs: 0164A998
                                                                      • apphelp.dll, xrefs: 01602462
                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0164A9A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                      • API String ID: 0-176724104
                                                                      • Opcode ID: 76eb4f6f6ec14934da9e61e079a6b96cbe69b65ce7fe9ff87f91a2506f6a2a59
                                                                      • Instruction ID: 4cb74187eb240cf4043e0ed6cda8de52d9cac5990ad30b2ef8bbea45e77a466c
                                                                      • Opcode Fuzzy Hash: 76eb4f6f6ec14934da9e61e079a6b96cbe69b65ce7fe9ff87f91a2506f6a2a59
                                                                      • Instruction Fuzzy Hash: AC3146B5E91202BBDB359F9DCC85A6AB7B5FB84B00F17001DE9026B345C7B05892C790
                                                                      Function 015F29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015F327D
                                                                      • HEAP[%wZ]: , xrefs: 015F3255
                                                                      • HEAP: , xrefs: 015F3264
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                      • API String ID: 0-617086771
                                                                      • Opcode ID: 2773bb19f68e245129a61d9145ac1639d103548a8d5ec7ce7e1c3f30de08ecfc
                                                                      • Instruction ID: c403dbba91cff78344529df8817e0554954d9b68c93061d4e3555cc269a02158
                                                                      • Opcode Fuzzy Hash: 2773bb19f68e245129a61d9145ac1639d103548a8d5ec7ce7e1c3f30de08ecfc
                                                                      • Instruction Fuzzy Hash: 40929B71A042499FEB25CF68C844BAEBBF1FF48300F18849DEA55AB391D735A945CF50
                                                                      Function 015F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                      • API String ID: 0-4253913091
                                                                      • Opcode ID: e91fad08b7096ba9e3b45c36c9a7303b4b0ed287b283c8bcfe5eb9ce5787a404
                                                                      • Instruction ID: d5b76cb1ea800d229ccae8aa852007dec9f4ed07f787f5101e91a02753b14b68
                                                                      • Opcode Fuzzy Hash: e91fad08b7096ba9e3b45c36c9a7303b4b0ed287b283c8bcfe5eb9ce5787a404
                                                                      • Instruction Fuzzy Hash: 9DF1BF30A01606DFEB25CF68C994B6AB7F6FF44704F1885ADE6169B392D730E941CB90
                                                                      Function 01606962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $@
                                                                      • API String ID: 0-1077428164
                                                                      • Opcode ID: ecc4139566633821532ad27c4451ac5b08eda8dad24060b7e442fee1357f7e78
                                                                      • Instruction ID: b920c96a94633471f20768df0be891e45b44659a4a25725bbfb521743f527968
                                                                      • Opcode Fuzzy Hash: ecc4139566633821532ad27c4451ac5b08eda8dad24060b7e442fee1357f7e78
                                                                      • Instruction Fuzzy Hash: BEC27F716093519FE72ACF28CC40BABBBE5AF88754F05892DE9C987381D734E845CB52
                                                                      Function 015DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                                      • API String ID: 0-2779062949
                                                                      • Opcode ID: 3afd008a22c5fbc6584d1b0a79f4f45359c1ff049a43ee9768bd03989325de23
                                                                      • Instruction ID: 1c741fe87d74e4ad9ed4cd62adb67c756052da2fb77a5ae0c14ce7abc6d9635d
                                                                      • Opcode Fuzzy Hash: 3afd008a22c5fbc6584d1b0a79f4f45359c1ff049a43ee9768bd03989325de23
                                                                      • Instruction Fuzzy Hash: F4A18F719116299BDB31DF28CC88BEAB7B8FF44710F1001EAE909A7251E7359E84CF54
                                                                      Function 01600BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0164A121
                                                                      • Failed to allocated memory for shimmed module list, xrefs: 0164A10F
                                                                      • LdrpCheckModule, xrefs: 0164A117
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                      • API String ID: 0-161242083
                                                                      • Opcode ID: bee4a7390112cca1c1b00cea1d15da7992ccc49041a605e8e50c5de7fc99144b
                                                                      • Instruction ID: e91d5cf8b0d0cc8cb65a6378a0bb8f6fb1ca77a256a9e32b5918faddf3ac6089
                                                                      • Opcode Fuzzy Hash: bee4a7390112cca1c1b00cea1d15da7992ccc49041a605e8e50c5de7fc99144b
                                                                      • Instruction Fuzzy Hash: 9471C171E402069FDB2ADFA8CD81BAEB7F5FB48644F15402DE506DB351E734A942CB50
                                                                      Function 015F0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                      • API String ID: 0-1334570610
                                                                      • Opcode ID: 1defb1d777b265b940bd7086c2c91b963295e239a6a9609f6fe06660bbf123dc
                                                                      • Instruction ID: 3c2c7769393656a0f69a9832897860708d1c70ca49ecf12fc0812f3555d319ff
                                                                      • Opcode Fuzzy Hash: 1defb1d777b265b940bd7086c2c91b963295e239a6a9609f6fe06660bbf123dc
                                                                      • Instruction Fuzzy Hash: 5861B270600346DFDB29DF28C880B6ABBE2FF45704F18855DE59A8F296D770E881CB91
                                                                      Function 0161C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 016582DE
                                                                      • Failed to reallocate the system dirs string !, xrefs: 016582D7
                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 016582E8
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                      • API String ID: 0-1783798831
                                                                      • Opcode ID: c3d327b624eb42be398b625644fba0b6e5f12d93668cc97940d2348ad223e348
                                                                      • Instruction ID: 5d8f0b9bdaf34fcf2ff248550fad74f7eb2e70366c86f329f48f1d3ae0c39afc
                                                                      • Opcode Fuzzy Hash: c3d327b624eb42be398b625644fba0b6e5f12d93668cc97940d2348ad223e348
                                                                      • Instruction Fuzzy Hash: C841F1B1951312ABD721EB69DC44B6B7BE8FF84750F04482EF944D7294E7B0D800CB92
                                                                      Function 0169C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • PreferredUILanguages, xrefs: 0169C212
                                                                      • @, xrefs: 0169C1F1
                                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0169C1C5
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                      • API String ID: 0-2968386058
                                                                      • Opcode ID: a0782d5b13be4c930e6a9ff18483f136d8b49ee825d76376810693e5169489f7
                                                                      • Instruction ID: 19217f2aa71fb92fe1f2e7b44072de2221966e8ff4fe4fc5a50828ebd235197c
                                                                      • Opcode Fuzzy Hash: a0782d5b13be4c930e6a9ff18483f136d8b49ee825d76376810693e5169489f7
                                                                      • Instruction Fuzzy Hash: C3416271E0021AABDF11DBD8CC91BEEBBBDAB55704F1480AAE605A7280D7749A45CB50
                                                                      Function 01674144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                      • API String ID: 0-1373925480
                                                                      • Opcode ID: 29a502374bb8e4595265a6dcdfdd28cfc8944a2deaea5ec9bec42be052d81f15
                                                                      • Instruction ID: ae0f8125a869d6e12aafd7f5d587b22727661f617763eac4ae6e3dc12d011a9b
                                                                      • Opcode Fuzzy Hash: 29a502374bb8e4595265a6dcdfdd28cfc8944a2deaea5ec9bec42be052d81f15
                                                                      • Instruction Fuzzy Hash: 99410231A006498FEB26DBD9DC48BADBBB9FF95340F14045ADA11EF791DB358901CB10
                                                                      Function 01664755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • LdrpCheckRedirection, xrefs: 0166488F
                                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01664888
                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01664899
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                      • API String ID: 0-3154609507
                                                                      • Opcode ID: 77667a52d25004895360b74f5f7420ccd157d5c5826d79f5a8d8ea61e0d039db
                                                                      • Instruction ID: 3f32c0e1e4fbdbfc9568f0a73c85dba48647fb69d96aeff8c652237d210d989a
                                                                      • Opcode Fuzzy Hash: 77667a52d25004895360b74f5f7420ccd157d5c5826d79f5a8d8ea61e0d039db
                                                                      • Instruction Fuzzy Hash: CE41D132A056519FCB21CE6CDD40A66BFEDBF8AA90F06056DED49DB351DB30E810CB91
                                                                      Function 015F0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                      • API String ID: 0-2558761708
                                                                      • Opcode ID: 98137fd8dbcaed7430a45e0dec2b4229c355be35b74d6953419ff7efcafecf9a
                                                                      • Instruction ID: edec4bd886d69d717e68050bf911d0c08b41dd24faff41bc7178fd3516b5807f
                                                                      • Opcode Fuzzy Hash: 98137fd8dbcaed7430a45e0dec2b4229c355be35b74d6953419ff7efcafecf9a
                                                                      • Instruction Fuzzy Hash: 5411CD313161469FDB29DB18C880B6AB3A6BF41716F18811EF506CF292DB34D841C755
                                                                      Function 016620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Process initialization failed with status 0x%08lx, xrefs: 016620F3
                                                                      • LdrpInitializationFailure, xrefs: 016620FA
                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01662104
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                      • API String ID: 0-2986994758
                                                                      • Opcode ID: 0eebcae3bbd4cc579519f9c5b36a75e800991c482bdf7f0e8967108b138fcb97
                                                                      • Instruction ID: d9082f9d4f9c2188f169eb67b4e6f25619514b0ed4b71c8f4e23aefca54c6ea5
                                                                      • Opcode Fuzzy Hash: 0eebcae3bbd4cc579519f9c5b36a75e800991c482bdf7f0e8967108b138fcb97
                                                                      • Instruction Fuzzy Hash: BBF02274A40708AFE724EA8CCC56FAA776DFB40B04F10002CFB007B781D3B0A950CA85
                                                                      Function 015F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: #%u
                                                                      • API String ID: 48624451-232158463
                                                                      • Opcode ID: 3ae29b5f43475a23d5456f818ff08b8298617ecd7366ad7d44513613fc9885bd
                                                                      • Instruction ID: 7bd550ca02dab0cc54ba21c4ad67ac2d668612d22a00aee80e8b1aa4a079c537
                                                                      • Opcode Fuzzy Hash: 3ae29b5f43475a23d5456f818ff08b8298617ecd7366ad7d44513613fc9885bd
                                                                      • Instruction Fuzzy Hash: A1713B71A0014A9FDB01DFA8CD95BAEB7F9BF48744F144069EA05EB291EB34ED01CB64
                                                                      Function 015EA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • LdrResSearchResource Exit, xrefs: 015EAA25
                                                                      • LdrResSearchResource Enter, xrefs: 015EAA13
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                      • API String ID: 0-4066393604
                                                                      • Opcode ID: 78bd5bad2d1a025b74a95886f6705c0cc35b603d961758d1ac68e3a7bcf0ec20
                                                                      • Instruction ID: b7e6b71722a7ba112a3138e17513a0d6fb45970f523017c4f68417e1c90aa102
                                                                      • Opcode Fuzzy Hash: 78bd5bad2d1a025b74a95886f6705c0cc35b603d961758d1ac68e3a7bcf0ec20
                                                                      • Instruction Fuzzy Hash: ECE17071E002199BEF268FA9DD88BAEBBF9BF54310F104529F901EB351D7749941CB50
                                                                      Function 016AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `$`
                                                                      • API String ID: 0-197956300
                                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                      • Instruction ID: a698c2c5862afa5a4a5d6c68120d0806c8aee6c4c55a1dfe6510da5f284cc184
                                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                      • Instruction Fuzzy Hash: 7EC1BE312043429BE725CF68CC41B6BBBE6AFC4318F484A2EF6968B291D774D905CF55
                                                                      Function 0165E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: Legacy$UEFI
                                                                      • API String ID: 2994545307-634100481
                                                                      • Opcode ID: 04453d044d9fe209a234fe426ea51036be310e262120bbd48d4c4d97dba2052c
                                                                      • Instruction ID: fab33ac51e98d38f9c8150a5bc9c232732f845c3be453a0f92c2bf6239fbf219
                                                                      • Opcode Fuzzy Hash: 04453d044d9fe209a234fe426ea51036be310e262120bbd48d4c4d97dba2052c
                                                                      • Instruction Fuzzy Hash: 45616C72E006199FDF54DFA88D80BADFBB5FB48700F15406EEA49EB241D732AA00CB50
                                                                      Function 016843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$MUI
                                                                      • API String ID: 0-17815947
                                                                      • Opcode ID: bf0ed8d15235f81f2f4f51612c9f9d980436b485a5375accca91b1209a5b7cf9
                                                                      • Instruction ID: 5d3890d03d3bf9ab7bfa470e6e4366a162db0a8575b38d4b5b8aec26540c485f
                                                                      • Opcode Fuzzy Hash: bf0ed8d15235f81f2f4f51612c9f9d980436b485a5375accca91b1209a5b7cf9
                                                                      • Instruction Fuzzy Hash: B051F771E4061EAEDF11DFA9CC90BEEBBB9FB58754F100629E611B7290DB309905CB60
                                                                      Function 015E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 015E063D
                                                                      • kLsE, xrefs: 015E0540
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                      • API String ID: 0-2547482624
                                                                      • Opcode ID: 0d9a80e11528e64fa055cdaf855a6463cee4ed8f5993f5ac7de1e28c6dbcd953
                                                                      • Instruction ID: 5f70e8b770cf9fda9721c06aa55b128ff9609da5bce332dea9a4654e61df063f
                                                                      • Opcode Fuzzy Hash: 0d9a80e11528e64fa055cdaf855a6463cee4ed8f5993f5ac7de1e28c6dbcd953
                                                                      • Instruction Fuzzy Hash: 1951A171A047429BD728DF68C4487A7B7E4BF84304F10483EE5DA8B281E7B0D545CF91
                                                                      Function 015EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 015EA2FB
                                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 015EA309
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                      • API String ID: 0-2876891731
                                                                      • Opcode ID: 4a3aa21c822c701ea33b33b2bd36c9b4003dcaf4de08a1c9eca4aeee17a67ebe
                                                                      • Instruction ID: 588feb8dce0be5d4cfe5c92a5275bf9e022bae34ccc90e30ce76bb6ee31257d4
                                                                      • Opcode Fuzzy Hash: 4a3aa21c822c701ea33b33b2bd36c9b4003dcaf4de08a1c9eca4aeee17a67ebe
                                                                      • Instruction Fuzzy Hash: 07419930A00646DBEB19CF69D894B6ABBF4BF88304F2444A9E914DF391E3B5D900CB50
                                                                      Function 0161A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: Cleanup Group$Threadpool!
                                                                      • API String ID: 2994545307-4008356553
                                                                      • Opcode ID: 29068fbe04ff6f1c0c96588e75589d5719f72b1e609a3be41ce65f33098fde6c
                                                                      • Instruction ID: 28a8472b74ada99cd9dafe54866eed19cf896df9be8f522fead069b3a40b4dd5
                                                                      • Opcode Fuzzy Hash: 29068fbe04ff6f1c0c96588e75589d5719f72b1e609a3be41ce65f33098fde6c
                                                                      • Instruction Fuzzy Hash: A70121B2215780AFD311CF54CD45B1677E8E784725F08883DE608CB180E370E800CB8A
                                                                      Function 015EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: MUI
                                                                      • API String ID: 0-1339004836
                                                                      • Opcode ID: 82d7dbb86b9363305b4e0baaba3a1bafefcee2af49c6e2ffd67228dbacf2d492
                                                                      • Instruction ID: ea8d2245197a0a4b8cb89f8cda163a957709eb4a2c61efeabba538fc318dbc9e
                                                                      • Opcode Fuzzy Hash: 82d7dbb86b9363305b4e0baaba3a1bafefcee2af49c6e2ffd67228dbacf2d492
                                                                      • Instruction Fuzzy Hash: 12826975E002198FEB29CFA9C988BEDBBF5BF48310F148169E919AF390D7709941CB50
                                                                      Function 01666420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID: 0-3916222277
                                                                      • Opcode ID: c81a61c96b46af231eb3949a5e1ba489ffa365e84bc87adb7d995f8cfb8e098d
                                                                      • Instruction ID: 74193e67bd0a75c1f3bb65795b744327bd47bab3c6542fdf93d503cb6f69753c
                                                                      • Opcode Fuzzy Hash: c81a61c96b46af231eb3949a5e1ba489ffa365e84bc87adb7d995f8cfb8e098d
                                                                      • Instruction Fuzzy Hash: 14918371A0061AAFEB25DF95DC85FAEBBB9EF48750F100059F600AB290D774AD00CBA4
                                                                      Function 0168E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID: 0-3916222277
                                                                      • Opcode ID: b37fef2207ecf65e6a8bf88dd5df178d830876dddc23eb133c21543347899400
                                                                      • Instruction ID: 2a762aa1f0299d6bf19c1c64b289334228824b9d1481583099bbd7e18553bb20
                                                                      • Opcode Fuzzy Hash: b37fef2207ecf65e6a8bf88dd5df178d830876dddc23eb133c21543347899400
                                                                      • Instruction Fuzzy Hash: 0191A13190161ABFDB22AFA5DC54FAFBB7AFF85750F100129F601A7250DB769902CB50
                                                                      Function 0161A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: GlobalTags
                                                                      • API String ID: 0-1106856819
                                                                      • Opcode ID: d622fb05402c001f5565d46ccede13ef190a2324a3c2e069c1b161ebe5b47d70
                                                                      • Instruction ID: 9e43fd968f3b38f26805cb1c028017beb5a2eb1d83f0f34816599cfcf0873f68
                                                                      • Opcode Fuzzy Hash: d622fb05402c001f5565d46ccede13ef190a2324a3c2e069c1b161ebe5b47d70
                                                                      • Instruction Fuzzy Hash: 37716EB5E0021A9FDF68CF9CD9906ADBBB2BF48710F54816EE906A7341E7309941CB64
                                                                      Function 01684978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .mui
                                                                      • API String ID: 0-1199573805
                                                                      • Opcode ID: f45c569fe08073ea61e672979d7db9322961094cf621b9a02078f797f0cc20a6
                                                                      • Instruction ID: ea22d83d5b9948412ec1bb8ff19b2b0f2ee4f38414ed7e68e7211f989f67d399
                                                                      • Opcode Fuzzy Hash: f45c569fe08073ea61e672979d7db9322961094cf621b9a02078f797f0cc20a6
                                                                      • Instruction Fuzzy Hash: EE517372D00227DBDB14EF99DC44BAEBBB4BF54A14F05426AE911BB344DB349801CBA4
                                                                      Function 015FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: EXT-
                                                                      • API String ID: 0-1948896318
                                                                      • Opcode ID: 6f0306ae414414537746dea5eb6cd0a77b29de48721302b93ddfe2038704838c
                                                                      • Instruction ID: e40c00b5accbe056d58f4fb6636a3f8233e5cc5ea235071c0c2c09c056ab08bb
                                                                      • Opcode Fuzzy Hash: 6f0306ae414414537746dea5eb6cd0a77b29de48721302b93ddfe2038704838c
                                                                      • Instruction Fuzzy Hash: 67418F725093429BD721DA69C881B6FBBE8FF88714F05092DFA84EB190E674D904C796
                                                                      Function 0165C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: BinaryHash
                                                                      • API String ID: 0-2202222882
                                                                      • Opcode ID: b885ef73176134d5f7d5426f2a9b816b29479028ead5de513a8ef93f01add986
                                                                      • Instruction ID: be9b5ba05b3aa4a01af1978532e7c72df404598f09ecc18bf589a78dda2e6169
                                                                      • Opcode Fuzzy Hash: b885ef73176134d5f7d5426f2a9b816b29479028ead5de513a8ef93f01add986
                                                                      • Instruction Fuzzy Hash: BF4145B1D0062DAADB61DA50CC84FDEBB7DAB45714F0145E9EA08AB140DB709E89CF98
                                                                      Function 01676B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #
                                                                      • API String ID: 0-1885708031
                                                                      • Opcode ID: 5fa72bfc109f8a930add28f78caee9d284509800d4c0708cc63939daef4078e2
                                                                      • Instruction ID: 95c938db31272f0ff3c062d5cc87de7dd514c3d63dc11f7132eb55d1ee213913
                                                                      • Opcode Fuzzy Hash: 5fa72bfc109f8a930add28f78caee9d284509800d4c0708cc63939daef4078e2
                                                                      • Instruction Fuzzy Hash: 9C31F431E00B199AFB22DB69CC50BEE7BA8EF45704F14406CEA41AB282DB75D845CB54
                                                                      Function 0165CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: BinaryName
                                                                      • API String ID: 0-215506332
                                                                      • Opcode ID: 86b5cad2ba512d7d9147c454c1b38d16364b342da05156b2e287eaadb7ab954d
                                                                      • Instruction ID: 7b73bf7b50ea60f5dd78ab7441efd0810a16626dba306ec77fbb23b5e5b13882
                                                                      • Opcode Fuzzy Hash: 86b5cad2ba512d7d9147c454c1b38d16364b342da05156b2e287eaadb7ab954d
                                                                      • Instruction Fuzzy Hash: 2631F53690061AAFEB15DB59CC55E6FBB78EF80720F014169ED05AB250D7309E04DBE0
                                                                      Function 0166892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0166895E
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                      • API String ID: 0-702105204
                                                                      • Opcode ID: e0d0be358e7ab3ddd5cbcf53c628fdae525fdd80439d6d5c0929d806cdbbd25d
                                                                      • Instruction ID: 390a3da6c22c826e811ae8f2090ce64c312b418078e1697920118b828a05dd09
                                                                      • Opcode Fuzzy Hash: e0d0be358e7ab3ddd5cbcf53c628fdae525fdd80439d6d5c0929d806cdbbd25d
                                                                      • Instruction Fuzzy Hash: CB01F731A11302AFE7345F7DCC84A567B6DFFD5695B04121CF64207651CB606845C796
                                                                      Function 01682000 Relevance: .8, Instructions: 757COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a7de50df338917808d594de811c01b2f4d12b07204027c8cadf23585278df154
                                                                      • Instruction ID: d7607d9bcd57a3d8ee54f91dc5f92c65868d584ecac707ddb12a2dd6e720d297
                                                                      • Opcode Fuzzy Hash: a7de50df338917808d594de811c01b2f4d12b07204027c8cadf23585278df154
                                                                      • Instruction Fuzzy Hash: 8442D2716083419FDB25EF68CCA0A6BBBE5BF88700F594A2DFA8297350D770D845CB52
                                                                      Function 01678158 Relevance: .6, Instructions: 617COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 151ac685530c493c5b7e0341a6d8a8b0902380ee285330a0aabbf87aee957bd6
                                                                      • Instruction ID: 169677a04672e7e3b064d61c524ecb7ee86626459c967f6b48272bf66c61c3e1
                                                                      • Opcode Fuzzy Hash: 151ac685530c493c5b7e0341a6d8a8b0902380ee285330a0aabbf87aee957bd6
                                                                      • Instruction Fuzzy Hash: 2A425C71E002199FEB25CF69CC45BADBBF9BF88310F158099E949AB242D7349D81CF50
                                                                      Function 015F2840 Relevance: .6, Instructions: 605COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c2032621169ac28149090f07757d627277775bb57faad19ef42f957c73c3946a
                                                                      • Instruction ID: e42e0bedc694bf2b16e5ef3550ff83e99b02623c275d8bc0686409d8a4cf059d
                                                                      • Opcode Fuzzy Hash: c2032621169ac28149090f07757d627277775bb57faad19ef42f957c73c3946a
                                                                      • Instruction Fuzzy Hash: 9632BAB0A006568FEB29CF69CC447BEBBF2BF86304F24811DD5869B785D735A842CB50
                                                                      Function 0168A118 Relevance: .6, Instructions: 591COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 837b4430c3e538ebe26902c3573c4df6517218bdae45b12b18c1360b7e3c36a3
                                                                      • Instruction ID: e026c2fc2e2c7d5dc1a3bea71a7f3f58011435476769fe6eb5832c7af19df7df
                                                                      • Opcode Fuzzy Hash: 837b4430c3e538ebe26902c3573c4df6517218bdae45b12b18c1360b7e3c36a3
                                                                      • Instruction Fuzzy Hash: EA22C1742046618BEB25EFADC850372BBF1AF44304F08865BDD868F386E775E492DB61
                                                                      Function 015E6A50 Relevance: .5, Instructions: 548COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1a1cc927fdab34a1ce08c93c261e9ecb1ac4fc5c88004046acee0c495235b070
                                                                      • Instruction ID: 28eae9194aed1cef20b39661661fc30a0505afd59166cad6acac8faff8ab260a
                                                                      • Opcode Fuzzy Hash: 1a1cc927fdab34a1ce08c93c261e9ecb1ac4fc5c88004046acee0c495235b070
                                                                      • Instruction Fuzzy Hash: E4328C71E01215CFDB29CF68C884AAEBBF2FF58310F148569E956AB391D774E881CB50
                                                                      Function 01604A35 Relevance: .4, Instructions: 423COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                      • Instruction ID: 5c4c56cfe57d665fe94ac5b3ecb6d9de61cb5e70be7d5531a6dbdd941e0a292d
                                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                      • Instruction Fuzzy Hash: 5BF15371E0061A9FDB2ACF99DD40BAFBBF5AF48710F058169EA05AB380DB74D841CB50
                                                                      Function 0167892B Relevance: .4, Instructions: 386COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26af40b0e919853e95b472f6da6670430bcd1ad82b6324fa625d98c8fe9cc782
                                                                      • Instruction ID: 3709ea602661821bb282fe0cdc915585eb97121502fb2d317489392d5b0c2730
                                                                      • Opcode Fuzzy Hash: 26af40b0e919853e95b472f6da6670430bcd1ad82b6324fa625d98c8fe9cc782
                                                                      • Instruction Fuzzy Hash: 89D1E271E0060A8BDF15CF69CC45ABEBBFABF88304F188169D955A7241D735ED06CB60
                                                                      Function 015E65D0 Relevance: .4, Instructions: 383COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e5bba8e54da128d24634b15718b41f6ef4d51e261ff8027fd6d56edbe0855ae
                                                                      • Instruction ID: 184456b348ba0b160812e0ab5eceab0431070bfcef96f18cc16644fc1a3e091c
                                                                      • Opcode Fuzzy Hash: 1e5bba8e54da128d24634b15718b41f6ef4d51e261ff8027fd6d56edbe0855ae
                                                                      • Instruction Fuzzy Hash: B6E1C071A08342CFC719CF28C494A6ABBE0FF99354F05896DE9958B351DB30E905CF92
                                                                      Function 015D8397 Relevance: .4, Instructions: 380COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fa0c28c477560cd11a864fafe71e6aea37bbb1572bf15e414b725da80bf163a6
                                                                      • Instruction ID: d8233bcf290684f1a189b2fed82ef0f1ab93ab7c8e01657433ef8b4bb48f848d
                                                                      • Opcode Fuzzy Hash: fa0c28c477560cd11a864fafe71e6aea37bbb1572bf15e414b725da80bf163a6
                                                                      • Instruction Fuzzy Hash: A3D1BD71A006169BDB24DF6CCC91ABEB7E5FF94318F05462DE9169F281EB30E950CB50
                                                                      Function 01668243 Relevance: .3, Instructions: 322COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                      • Instruction ID: 2780f118625059ec638a1056b39e6539ff7cd2bd3788c4de63274f79467993a3
                                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                      • Instruction Fuzzy Hash: 16B15075A00705AFDF24DBA9CD40AABBBBEBF84304F14845DEA02A7794DB34E905CB50
                                                                      Function 015F0535 Relevance: .3, Instructions: 300COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                      • Instruction ID: 8028af8b3d26ab491e9009ed558219a741051b32bc36a9e38c9bef9433c59222
                                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                      • Instruction Fuzzy Hash: D2B1C331604646AFDB25DB68C854BBEBBF7BF84200F18459DE652DB382DB70E941CB90
                                                                      Function 015E83C0 Relevance: .3, Instructions: 281COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3596639f517149e685987cc6065ef081bb35f8f09852a89f818d004eaeaa3272
                                                                      • Instruction ID: 2288edf5da08369d8b18c88e884fc659fded478df1a8e097d2825f5f52c01505
                                                                      • Opcode Fuzzy Hash: 3596639f517149e685987cc6065ef081bb35f8f09852a89f818d004eaeaa3272
                                                                      • Instruction Fuzzy Hash: C0C158745083419FD764CF19C884BAAB7E5FF88304F44492EE9898B391EB74E948CF92
                                                                      Function 015DC427 Relevance: .3, Instructions: 280COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9c26d1b1b3a0ebbb03ef14437dad48bdcb30881d4baa28772bba38d8ba6964a3
                                                                      • Instruction ID: 9288820829cfd3a7df16d648e9ab2d9cba1ef063b7aa885235851fae225052c8
                                                                      • Opcode Fuzzy Hash: 9c26d1b1b3a0ebbb03ef14437dad48bdcb30881d4baa28772bba38d8ba6964a3
                                                                      • Instruction Fuzzy Hash: ABB16F70A002668BDB74CF58C890BADB3B5BF84700F4485EDD54AEB281EB709D85CF24
                                                                      Function 0160E5E7 Relevance: .3, Instructions: 278COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0603450c842d03f4677a59a2b08728a929647c5fd2adbca2bfc0437d53f05573
                                                                      • Instruction ID: 94b184fa515e8f51d906e6971f1d4b4c07852b74500f798feaa8b4b110a7135d
                                                                      • Opcode Fuzzy Hash: 0603450c842d03f4677a59a2b08728a929647c5fd2adbca2bfc0437d53f05573
                                                                      • Instruction Fuzzy Hash: B2A13331E006299FEB26DBACCC44BAFBBB5BB01714F0505A9EA00AB3D1C7749D41CB95
                                                                      Function 01620185 Relevance: .3, Instructions: 276COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5db6adb11821058732cd564c014c9a87080580ccd35686189c6848fc1521e539
                                                                      • Instruction ID: 9ed43845bc8ae7794f5e81aa3279306c1afc17ab451ca19acc8c6edf0f73cde0
                                                                      • Opcode Fuzzy Hash: 5db6adb11821058732cd564c014c9a87080580ccd35686189c6848fc1521e539
                                                                      • Instruction Fuzzy Hash: 4BA1B270B01A26DFEB25CF69CD90BAAB7B5FF54318F008129EA0597381DB74E816CB50
                                                                      Function 016B4500 Relevance: .3, Instructions: 275COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4a3b6bc586d778b22f0cfa5d03a90c9fd94438d29c88e538cd2cb13464223955
                                                                      • Instruction ID: d42209ed84b1e7bb5f275da140024019955a6493322df5b811255cc4833e57f6
                                                                      • Opcode Fuzzy Hash: 4a3b6bc586d778b22f0cfa5d03a90c9fd94438d29c88e538cd2cb13464223955
                                                                      • Instruction Fuzzy Hash: BDA1CE72A14652AFC711DF18CD80BAAB7E9FF88704F05052CE686DB752DB34E881CB91
                                                                      Function 016B2B57 Relevance: .3, Instructions: 266COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                      • Instruction ID: 3826bf0e54fb1df28af6e986484874adc9f4ae8143d4e1627deddf1f49c8587d
                                                                      • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                      • Instruction Fuzzy Hash: 0BB11871E0061A9FDF25CFA9C890AEDBBF5BF48310F14816DE914AB355D730A982CB90
                                                                      Function 016660E0 Relevance: .3, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 30118e133ded595ce085c35d18f28bc6c1026bd211ec76ef998b1c76e481754a
                                                                      • Instruction ID: 700030956b8a254b51615897b56bb0373ed1ce2a7f657e4259218b6529a1c88e
                                                                      • Opcode Fuzzy Hash: 30118e133ded595ce085c35d18f28bc6c1026bd211ec76ef998b1c76e481754a
                                                                      • Instruction Fuzzy Hash: 59916E71E00216AFDB15CFA8EC94BAEBBBDAF48710F154169E614FB341D734E9009BA4
                                                                      Function 015FE3F0 Relevance: .3, Instructions: 261COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5f261484c04f3de7c141844a6b7a2b198bd28ee056d46f6dbd509b98c1cf9e35
                                                                      • Instruction ID: e4842ce089af1eb16a142e33231b48104483ad40be15be9ef2aaa20561e6e66d
                                                                      • Opcode Fuzzy Hash: 5f261484c04f3de7c141844a6b7a2b198bd28ee056d46f6dbd509b98c1cf9e35
                                                                      • Instruction Fuzzy Hash: 83911331A00616CBEB25DB5CC849B7EBBA2FB98714F06446DEE059F3A0E734D941C791
                                                                      Function 01636ACC Relevance: .2, Instructions: 226COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7e6ee6cfae40f49302511fe4201ccd21b63d6701f3d75ca58fc1515b86bb85f2
                                                                      • Instruction ID: e7153a2936fe3e3703dfee4a62b5cd9398a60e55639ae6dd27e3c61bf5733d6d
                                                                      • Opcode Fuzzy Hash: 7e6ee6cfae40f49302511fe4201ccd21b63d6701f3d75ca58fc1515b86bb85f2
                                                                      • Instruction Fuzzy Hash: 4C818271E00616AFDB18CF69C940ABEBBF9FB88700F04852EE556D7640E734DA51CBA4
                                                                      Function 016AAB40 Relevance: .2, Instructions: 222COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                      • Instruction ID: 43950e6feee526278237dbf1442f7353c2dbdba14ccf84b11b0014b375ff6f2b
                                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                      • Instruction Fuzzy Hash: 8F817E72A002069BDF19DF98C890AAEBBF6AF84310F58856ED9169B345D734ED01CF94
                                                                      Function 0161E284 Relevance: .2, Instructions: 212COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1ad43a8121acb2257cabf999a658c9260ec36b47cc617c5d8466a062bbacb22f
                                                                      • Instruction ID: 76f144d1a845bc81918e109e6310a421ef304afbe3248f7dcc383ab179bf928d
                                                                      • Opcode Fuzzy Hash: 1ad43a8121acb2257cabf999a658c9260ec36b47cc617c5d8466a062bbacb22f
                                                                      • Instruction Fuzzy Hash: 65814D71A00609EFDB26CFA9C880AEEBBBAFF48354F14442DE955A7254D731EC45CB60
                                                                      Function 015FC640 Relevance: .2, Instructions: 206COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2f697080003bf25ea7f07355bef5a46f163838c85693edffcf800cb8689636be
                                                                      • Instruction ID: f032e1e3527fd4b34d4a2bbc5975da03e4cfbf2a4e3a26bf964d7592e67d752d
                                                                      • Opcode Fuzzy Hash: 2f697080003bf25ea7f07355bef5a46f163838c85693edffcf800cb8689636be
                                                                      • Instruction Fuzzy Hash: F071AE75C066299BCB258F99C890BBEBBB5FF58710F14452EEA82AB350D7309800CB90
                                                                      Function 016947A0 Relevance: .2, Instructions: 202COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f38bcc8fd9a1c2e3bc6151b47a7777ed62dd2298b0c3bf1cf91d702ca8ad900d
                                                                      • Instruction ID: 1b5e4bc48d5289bbf8527f27f9ecc6826ea7a01df85318f29b9df87a95a47589
                                                                      • Opcode Fuzzy Hash: f38bcc8fd9a1c2e3bc6151b47a7777ed62dd2298b0c3bf1cf91d702ca8ad900d
                                                                      • Instruction Fuzzy Hash: 25718E71D01205EFDF20CF99DE40A9EBBF9FF94300B11915AEA11EB258CB358942CB58
                                                                      Function 015F260B Relevance: .2, Instructions: 201COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bad58dbf6fb3119e3b3eb213e2396712a6f26cead28737d014109a39d8cfb27d
                                                                      • Instruction ID: a27a39fa06174930f74f3ec4b7f5fa27b2171a979ad32d2ff62bd88e6373520e
                                                                      • Opcode Fuzzy Hash: bad58dbf6fb3119e3b3eb213e2396712a6f26cead28737d014109a39d8cfb27d
                                                                      • Instruction Fuzzy Hash: 6071CEB16042429FD712DF28C880B2AB7E5FF89310F0585AEE999CF352DB38D845CB91
                                                                      Function 0166035C Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                      • Instruction ID: 75badb30692c750092a522eaf44b2a67c566888439177a40ba9d40005f69eaf8
                                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                      • Instruction Fuzzy Hash: F5715F71A0061AEFDB10DFA9C944EDEBBB9FF98704F104569E605EB250DB34EA01CB94
                                                                      Function 016762A0 Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: db18f60a3098d3a0819eae7ac734e3369305e761c1e6243c0bc9191fc5847080
                                                                      • Instruction ID: 4898a3c4450b86da6204c6d5ae50e51abf069bb557eac17453615d51d69daaf4
                                                                      • Opcode Fuzzy Hash: db18f60a3098d3a0819eae7ac734e3369305e761c1e6243c0bc9191fc5847080
                                                                      • Instruction Fuzzy Hash: 2A71C032200B02AFEB229F18CC54F66BBB6BF44724F15892CE2568B2A0D775E944CB50
                                                                      Function 016B8324 Relevance: .2, Instructions: 192COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 262e8594a175bc125029f69ad599ff088e81cfeefbf54dcf6a3ec00aea949a21
                                                                      • Instruction ID: 2f1b5467c6e92b9772fa94f77117548914ad0911dd50fc674c7a13481cc5a615
                                                                      • Opcode Fuzzy Hash: 262e8594a175bc125029f69ad599ff088e81cfeefbf54dcf6a3ec00aea949a21
                                                                      • Instruction Fuzzy Hash: 7D711872E0021AAFDB15DF94CC81FEEBBBDFB04350F104169E611A7290E774AA45CB94
                                                                      Function 0169A250 Relevance: .2, Instructions: 184COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71967d57bcb1ac278a181d57680bdb4b1d4ca5f6c293da537a3576730cb8f4f6
                                                                      • Instruction ID: 73523d83f2ac4c92b5676ed4482ffd49c7fef0199956403013d09a27687a42a7
                                                                      • Opcode Fuzzy Hash: 71967d57bcb1ac278a181d57680bdb4b1d4ca5f6c293da537a3576730cb8f4f6
                                                                      • Instruction Fuzzy Hash: BE519D72505612AFDB11DEA8CC84A6BBAEDEBC5B50F01096DFA40DB250D770ED05CBA2
                                                                      Function 01688350 Relevance: .2, Instructions: 161COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 10b96a707c687d5a4601e237dea0495f1e4517e5a82c6a2ee8bbf9c36dfe3fd9
                                                                      • Instruction ID: 3b215117f14dc5136517b704e4f34a2d2e7ef572cebfd7b1d5a36f586252a864
                                                                      • Opcode Fuzzy Hash: 10b96a707c687d5a4601e237dea0495f1e4517e5a82c6a2ee8bbf9c36dfe3fd9
                                                                      • Instruction Fuzzy Hash: E051AD719007059BD721EF9ACC80AABFBFDBF94710F50471ED292976A2C7B0A945CB50
                                                                      Function 0161E443 Relevance: .2, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 39bab7a9990511caedaaec9f483f8b256875d4e8104b06139d12ab370efe684e
                                                                      • Instruction ID: b8bb91791870e7568b8d07686637bec86f998012eb080c4dc915a6340e4e4516
                                                                      • Opcode Fuzzy Hash: 39bab7a9990511caedaaec9f483f8b256875d4e8104b06139d12ab370efe684e
                                                                      • Instruction Fuzzy Hash: 14518A31200A16DFDB22EF69CD90F6AB3B9FF54784F45042DEA0297260D731E941CB50
                                                                      Function 01684180 Relevance: .2, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bf994f62ca55fc5305e277d32bb330a213b94f22e41cf43dfdaadbd4cb5df933
                                                                      • Instruction ID: 3048bbed91cbf91e67a077be55ec23e86d7e478e8806137f3809413be0fb9259
                                                                      • Opcode Fuzzy Hash: bf994f62ca55fc5305e277d32bb330a213b94f22e41cf43dfdaadbd4cb5df933
                                                                      • Instruction Fuzzy Hash: 5A5157716083429FD754EF2AC880A6BBBE5BFD8204F444A2DF589C7350EB30D905CB96
                                                                      Function 016045B1 Relevance: .2, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                      • Instruction ID: d6bee3adbf13739526cd724f46ea8652b672ab0d8bf7f98239760b4c19d1b0e8
                                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                      • Instruction Fuzzy Hash: 00516171D0021AABDF2ADF98C840BBFBBB9AF45754F144069EA01AB380DB74DD45CB94
                                                                      Function 0166E9E0 Relevance: .2, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                      • Instruction ID: 6e209340b1e23088adb05738a2a94db6cc7e66644f719a119207f05a6859aa39
                                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                      • Instruction Fuzzy Hash: 0951D735D0021AEFEF21DF94CD94BAEBB7DAF00324F154669D91267290D7329E41CBA0
                                                                      Function 016A8B28 Relevance: .2, Instructions: 152COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93eed433b21831ab7216315186e1736f76446e7df79a378b004721a54965cb79
                                                                      • Instruction ID: 5c1a0b388b632598622c04fe1d72df5d80312713b2d8a928017d4442c84fcd3f
                                                                      • Opcode Fuzzy Hash: 93eed433b21831ab7216315186e1736f76446e7df79a378b004721a54965cb79
                                                                      • Instruction Fuzzy Hash: 8541B3717016119BEB29DB2DCC94B7BBB9EFF90621F848219E95687381DB34DC01CE91
                                                                      Function 0166CBF0 Relevance: .1, Instructions: 148COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d6b02fb615e816fbb23be9610f7ebe02f8adc6d7166ee480547c1ae7565579b
                                                                      • Instruction ID: 350d0ac07119f397f63fb80c2dcd0d331efd3262f7af97dcdb3873ea0bc83539
                                                                      • Opcode Fuzzy Hash: 0d6b02fb615e816fbb23be9610f7ebe02f8adc6d7166ee480547c1ae7565579b
                                                                      • Instruction Fuzzy Hash: BB518AB6E0161ADFCB20DFA9CC909AEBBB9FB98318B114519D685A7304D734ED01CB90
                                                                      Function 0161A430 Relevance: .1, Instructions: 139COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1ee324043f1b96fe545f3f5c57a21801375eaf6b9cb4f47a39237af4734219a1
                                                                      • Instruction ID: 02f23e988084262448fe41750d3a3751d52e27d0a3b167968a36cdbacc4bda84
                                                                      • Opcode Fuzzy Hash: 1ee324043f1b96fe545f3f5c57a21801375eaf6b9cb4f47a39237af4734219a1
                                                                      • Instruction Fuzzy Hash: 1F416C71B422529BDB29EFB8DC80F2A3766EB59308F05502CEE02DB349D7B1D810CB64
                                                                      Function 016AA9D3 Relevance: .1, Instructions: 139COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                      • Instruction ID: 1d26f2b256cd8b620aeafda07b7d066721163ecc6e3c48a3e8e1826683e156b8
                                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                      • Instruction Fuzzy Hash: 1641C6716007169FD725CF98CD94A6AB7E9FF80210B45462FEE528B740EB30ED05CB90
                                                                      Function 016101F8 Relevance: .1, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 85e2b40ac9149823dff6351afd40afd3593bb454de59936232a49ca4de6f114e
                                                                      • Instruction ID: 3d7818284ae2886dff8090155b55dfafd432529aed0e3b73c56604c72b6d14da
                                                                      • Opcode Fuzzy Hash: 85e2b40ac9149823dff6351afd40afd3593bb454de59936232a49ca4de6f114e
                                                                      • Instruction Fuzzy Hash: 6741BE3690021ADBDF10DFA9C840AEEB7B5BF48710F18815AF915EB344D7359D82CBA4
                                                                      Function 0160EBFC Relevance: .1, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c2db95a44b6f1be1f5690de5931ac3fa0c71ad4f57e3891095053471a9e849a7
                                                                      • Instruction ID: 5c420b16053c4e32ad4ed42d872bcef89e73f1c82405515896d7da58a8f30e75
                                                                      • Opcode Fuzzy Hash: c2db95a44b6f1be1f5690de5931ac3fa0c71ad4f57e3891095053471a9e849a7
                                                                      • Instruction Fuzzy Hash: 8E41A2B26043129FD729DF28CC84A17B7E5FF88214F004C6DE6A6C7791DB72E8458B51
                                                                      Function 01622750 Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                      • Instruction ID: 83b081ab69554c8a7b687b8eeb98bdd37082093e12bdf899a727ee43643fdec7
                                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                      • Instruction Fuzzy Hash: 3B516A75A01615CFCB55CF98C880AAEFBB2FF84714F2482A9D915EB351D730AE42CB90
                                                                      Function 015E6154 Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 837e493d3b5b1e6dbc7041aab40088dcfeb5335d765bc7cb8247af35b54e6c79
                                                                      • Instruction ID: f2e32aaa70341eef1df9e2dc3b22d059e1b30a5e8126c444475a14e0239876ca
                                                                      • Opcode Fuzzy Hash: 837e493d3b5b1e6dbc7041aab40088dcfeb5335d765bc7cb8247af35b54e6c79
                                                                      • Instruction Fuzzy Hash: 9D51D670D04257DBDB298B68CC08BE9BBF1FF65314F1482A9D6299B2D1D7749981CF80
                                                                      Function 015E0BCD Relevance: .1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7318c6999956ec2e56cb229939387676f16de171963f64bef61813b9e2120618
                                                                      • Instruction ID: 3ef39cde8eab8f1ed1f9662ae474138dccf907dc0798d650f16ff59c5ce896ca
                                                                      • Opcode Fuzzy Hash: 7318c6999956ec2e56cb229939387676f16de171963f64bef61813b9e2120618
                                                                      • Instruction Fuzzy Hash: 9C419F72E002299ADB25DF68CD44BEAB7B5FF85740F0104A9E908AF281D774DE81CF91
                                                                      Function 016A866E Relevance: .1, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                      • Instruction ID: 9d47b3ecd8855027efe3da5236cad55e9dd56acb82ebfbcf2bd0d2806a22b42a
                                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                      • Instruction Fuzzy Hash: 5741A375B00216ABEB15DF99CC84ABFBFBEAF88601F544069E904A7341DB70DD01CBA0
                                                                      Function 015E0887 Relevance: .1, Instructions: 128COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d3737b72d952dae857b976cad2aa72fc6fc6b42ab4417e3262568bc696879daa
                                                                      • Instruction ID: 81066445f08cf49c01c6f3cbd82478471b4a4fbeefb0585656804f2132ea5a31
                                                                      • Opcode Fuzzy Hash: d3737b72d952dae857b976cad2aa72fc6fc6b42ab4417e3262568bc696879daa
                                                                      • Instruction Fuzzy Hash: EE41B4B0B007029FE729CF28C884926B7F9FF89314B104A6DE556CB690E7B0F845CB50
                                                                      Function 0160A470 Relevance: .1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 88022a760f39bc1200d7c2a331281012dd2e5580ef48afd5e92faa0db74d5874
                                                                      • Instruction ID: cb18cb512ece76be6ee999e2e1e017c031029d79e3739b4f5d239f5bb3fa9528
                                                                      • Opcode Fuzzy Hash: 88022a760f39bc1200d7c2a331281012dd2e5580ef48afd5e92faa0db74d5874
                                                                      • Instruction Fuzzy Hash: 5941BB32941205CFDB2ADFACDD94BAE7BB0FB98390F050199D415AB3D1DB369901CBA4
                                                                      Function 015E8BF0 Relevance: .1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9a647399d82b401e410b36cb99242fd7625bb1dd9c388c88f191b6057a1e4f94
                                                                      • Instruction ID: b814017fe17390505f7c911e028e9746abe6458154e27adb4396e75f2d51927b
                                                                      • Opcode Fuzzy Hash: 9a647399d82b401e410b36cb99242fd7625bb1dd9c388c88f191b6057a1e4f94
                                                                      • Instruction Fuzzy Hash: 7C41DD72E01202CBD7298F5CDD88B5ABBF6FBD5600F24846EE9059F665CB359842CB90
                                                                      Function 015D8918 Relevance: .1, Instructions: 123COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d01963dd91fff1fe0a12013f02b62765f2f8b200060abd9999a408fde3a27e1a
                                                                      • Instruction ID: 2f7e072e437f05ea0aaebfa30a7fc48f80226df80254b6d4d654e375480e1732
                                                                      • Opcode Fuzzy Hash: d01963dd91fff1fe0a12013f02b62765f2f8b200060abd9999a408fde3a27e1a
                                                                      • Instruction Fuzzy Hash: 74414A315087069ED322DF69CC40A6BB6E9FF84B54F41092EFA84DB250E730DE048BA7
                                                                      Function 015DA020 Relevance: .1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                      • Instruction ID: d9b7fa67ce5bce83736aff3d4199e6274a0d2d35e263819d8c91ae1699f44b45
                                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                      • Instruction Fuzzy Hash: CB411531A00212DBEB31DE6D88407BBBBA1FBD0754F15806EEA459F384D7328D80CB90
                                                                      Function 015E09AD Relevance: .1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b4a2d59875c2695f5cdb3d336f0fbf470b3c91ecfdffba45849d5142b915a6c
                                                                      • Instruction ID: b2671e36cb89fedcc12c5a919e8908892ff4d7f52d8affc73fa916c30f1536f0
                                                                      • Opcode Fuzzy Hash: 1b4a2d59875c2695f5cdb3d336f0fbf470b3c91ecfdffba45849d5142b915a6c
                                                                      • Instruction Fuzzy Hash: 47417D71A00606DFD725CF18C844B2ABBF5FF98314F24896AE559CF291E7B1E942CB90
                                                                      Function 01610710 Relevance: .1, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                      • Instruction ID: 366753cc5599d79a278ea821ec40b10fa59a1b7c514bbfb5789244287c2db0fb
                                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                      • Instruction Fuzzy Hash: 9D414B75A04705EFDB24CF98C980AAABBF8FF18700B14496DE556DB254D330EA85CF90
                                                                      Function 015E262C Relevance: .1, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 286bdb29aee5c80c2c59e066001e08ec8778d2e2691b2982bfb6a4c6d02a0ba7
                                                                      • Instruction ID: 7ae727639561f4fd9241b682a401a3a02b7456b9609992844795722ed4a748b5
                                                                      • Opcode Fuzzy Hash: 286bdb29aee5c80c2c59e066001e08ec8778d2e2691b2982bfb6a4c6d02a0ba7
                                                                      • Instruction Fuzzy Hash: 70419AB1D417069FCB2AEF28C944A69B7FAFF94310F1586ADC4068B2A5DB30A941CF51
                                                                      Function 0161C8F9 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b691d5422f2563d81a84a7669b0554fda4c76043e46729d60afdbce55c32c427
                                                                      • Instruction ID: 2e330846878b32f5bf5b84cea9f872be9f8b0c45c94b11e7cff78d445f219137
                                                                      • Opcode Fuzzy Hash: b691d5422f2563d81a84a7669b0554fda4c76043e46729d60afdbce55c32c427
                                                                      • Instruction Fuzzy Hash: D431A7B2A41246DFDB52CFA8C840798BBF1FB48724F2484AED519EB351D3329902CB90
                                                                      Function 016607C3 Relevance: .1, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 668a0d11121821793540168ab33754a540014f48f23b7e7fd534a5b73dae7251
                                                                      • Instruction ID: 86269400f068499b015a60bcd3fffef47a200cec53d6d4f87dff7cdbe7f79154
                                                                      • Opcode Fuzzy Hash: 668a0d11121821793540168ab33754a540014f48f23b7e7fd534a5b73dae7251
                                                                      • Instruction Fuzzy Hash: B8418E729043059FD760DF29CC45B9BBBE8FF88654F004A2EF598C7251DB709904CB92
                                                                      Function 015D80A0 Relevance: .1, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2d2c8423da2c276085a00c2056a37133c2aa5c61f2f2189193cf3c3f9be228ae
                                                                      • Instruction ID: d6ce2fe513f84cdec9d2200e900357972fda1b1249056549a96e03dd303414af
                                                                      • Opcode Fuzzy Hash: 2d2c8423da2c276085a00c2056a37133c2aa5c61f2f2189193cf3c3f9be228ae
                                                                      • Instruction Fuzzy Hash: 1B41C271E05616AFDB21DFACCC80AACB7B1BB94760F148629D815AB280D734ED458BD0
                                                                      Function 016605A7 Relevance: .1, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 425da8c866e15a7fc6a348ed83692cd3cf4bcd1c03dfa97f03b504784d0b01f8
                                                                      • Instruction ID: 86d144a3d0fb4ad75ce5499fa498598c18e0116ff9973d11f0364e30dd0e2f45
                                                                      • Opcode Fuzzy Hash: 425da8c866e15a7fc6a348ed83692cd3cf4bcd1c03dfa97f03b504784d0b01f8
                                                                      • Instruction Fuzzy Hash: 3041B1726046529FD320DF68CC40A6AB7A9FFC8700F14062DF954DB680E730ED04CBA6
                                                                      Function 015E4859 Relevance: .1, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df203eaabb5b0bc1158c32e0554055f96dfb7149f679a064fd3a2fc3913793be
                                                                      • Instruction ID: 531225c7131629a20414e3c931ab1c6bc525f9eb4c04d511efbef12925570eae
                                                                      • Opcode Fuzzy Hash: df203eaabb5b0bc1158c32e0554055f96dfb7149f679a064fd3a2fc3913793be
                                                                      • Instruction Fuzzy Hash: C541D170A043028BD729DF28D898B2ABBE9FFC0354F15486DE685DF291DB34D811CB91
                                                                      Function 015D8B50 Relevance: .1, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5b61b82575fae270969bd58dc180c4ea1ea02701e462da54fd9670412bac593f
                                                                      • Instruction ID: e5655baa17eb9c5ab3d3753a16c877d677c70811b1a98b96edf45d2383401492
                                                                      • Opcode Fuzzy Hash: 5b61b82575fae270969bd58dc180c4ea1ea02701e462da54fd9670412bac593f
                                                                      • Instruction Fuzzy Hash: 30416DB1A01605DFDB25CF6DC98099DBBF1FF88320B14862AD466AF260DB34A941CF50
                                                                      Function 015F02E1 Relevance: .1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                      • Instruction ID: 5a4b162bb813502f2c61418f02af62324dcda9a32ffab7d05ed888f27daa104f
                                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                      • Instruction Fuzzy Hash: 0D310431A04245ABDB218B68CC44BAFBBEAFF54350F0845A9F815DB392C6749844CBA4
                                                                      Function 0168E3DB Relevance: .1, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 387c1e1eb766621ee6b0b34ba8999ecee03a91e970c8a9df1dc7944f753ba551
                                                                      • Instruction ID: aae89efffee793ed89ea076f92920e95e93c129831841c14c4c5830589c1c0f9
                                                                      • Opcode Fuzzy Hash: 387c1e1eb766621ee6b0b34ba8999ecee03a91e970c8a9df1dc7944f753ba551
                                                                      • Instruction Fuzzy Hash: EE31AA31B51716ABE722AF698C41F6F7AA9AF58B50F010068F604AB3D1DAA5DC01C7E4
                                                                      Function 01694B4B Relevance: .1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1463ae53d062034206b3dc82dd237bc18928f87a9c9cc9ac0c25912d0a35780a
                                                                      • Instruction ID: 85bc08869b4498a21f3353d5dc05bc5b466f4bfe37a880f0574275b66f43228c
                                                                      • Opcode Fuzzy Hash: 1463ae53d062034206b3dc82dd237bc18928f87a9c9cc9ac0c25912d0a35780a
                                                                      • Instruction Fuzzy Hash: 2E31AD72606201CFCB21DF1DDD80E26B7E9FB85360F0A446EE9998B355DB30E812CB91
                                                                      Function 015E4260 Relevance: .1, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cbc1cad81b140f46f5bd3a94cedf3a931f746251398a8f9a68ec5dff7351ff93
                                                                      • Instruction ID: c91c27bd2b013ccd31f96bb679d134e02c3e847f744d90d1bfe4ddb696a01bb2
                                                                      • Opcode Fuzzy Hash: cbc1cad81b140f46f5bd3a94cedf3a931f746251398a8f9a68ec5dff7351ff93
                                                                      • Instruction Fuzzy Hash: DB419C31600B569FD726CF28C894BDB7BE5BB48314F01886DE6AACB290C774E840CB50
                                                                      Function 01694BB0 Relevance: .1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a70b538ff8649983e8550eb7a5380ff4b4f9f7c2f41d774a6993a7c9f1b5ff1c
                                                                      • Instruction ID: 761c65fde8c025831fecfde22aabf66ecd4d6f5288d5e1b2557bfd94ca2b181a
                                                                      • Opcode Fuzzy Hash: a70b538ff8649983e8550eb7a5380ff4b4f9f7c2f41d774a6993a7c9f1b5ff1c
                                                                      • Instruction Fuzzy Hash: 06319C716052428FDB20DF28DD80A2AB7E9FB84720F05496DE9559B390EB30E806CB91
                                                                      Function 0165EB1D Relevance: .1, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7af724461f1658db252691713c4ce46708828f1bb78230348b601159d274d6d8
                                                                      • Instruction ID: 26fb49bbd943ced114c097e4d39449446752615f95eb257369a78b0995656675
                                                                      • Opcode Fuzzy Hash: 7af724461f1658db252691713c4ce46708828f1bb78230348b601159d274d6d8
                                                                      • Instruction Fuzzy Hash: 7C31E4326016829BFB629B5CCE48B25FBD9BB40780F1D00B4AF458B7D2DB29D941C234
                                                                      Function 016A61C3 Relevance: .1, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 117c84726e6943111bdeda53efd60e1a93a62de19d122bf2e1c9d4804016ff27
                                                                      • Instruction ID: 7474619857065040538da7c68b4b0e5819903360a9ab4379659312a93da22a92
                                                                      • Opcode Fuzzy Hash: 117c84726e6943111bdeda53efd60e1a93a62de19d122bf2e1c9d4804016ff27
                                                                      • Instruction Fuzzy Hash: 58319275A00156ABDB15DF98CC40BAEB7B5FB44740F458169E900AB244D770AD41CFA4
                                                                      Function 0168483A Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd5145cdb793a8133fedaae87488057ace53938116d644058f92012852cd131d
                                                                      • Instruction ID: 903a69a756c61cb15f01e4ecff42d13d92d0502e60818f41cd1ac08c77aff5f8
                                                                      • Opcode Fuzzy Hash: cd5145cdb793a8133fedaae87488057ace53938116d644058f92012852cd131d
                                                                      • Instruction Fuzzy Hash: F3313276A4112EABCF31EF54DC84BDEBBB6AB98350F1501E5E508A7250DB309E91CF90
                                                                      Function 0160EB20 Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6c502e1d5621d902c811cc274e83d292f937faeb28a40df0d436b3eb8dfe8da3
                                                                      • Instruction ID: 198b5a683d6809a957edab80619489ddc2e65ff799756f4feb79baa0ac701f95
                                                                      • Opcode Fuzzy Hash: 6c502e1d5621d902c811cc274e83d292f937faeb28a40df0d436b3eb8dfe8da3
                                                                      • Instruction Fuzzy Hash: 2731B772E00625AFDB22DFA9CD40BAFBBF9EF48750F014865E555D7290D3759E008BA0
                                                                      Function 016A60B8 Relevance: .1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 54885614ae7f23dc3cfd4f3b7386cdf1575f40dd64a0546f1ae4208ee6f7cce2
                                                                      • Instruction ID: fc9e9d0f25aa133d1dcc142d0416036e62192a417da3bebb23e9ab6149fc7879
                                                                      • Opcode Fuzzy Hash: 54885614ae7f23dc3cfd4f3b7386cdf1575f40dd64a0546f1ae4208ee6f7cce2
                                                                      • Instruction Fuzzy Hash: 6A31D471A40606AFDB129FADCC50B6ABBBABF44754F45006DE606DB342DB70EC018F90
                                                                      Function 015E07AF Relevance: .1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 564e52821af7cc422ccba78e2dbb8eaded8328702bddf3aa7fba8c7e9ce0e996
                                                                      • Instruction ID: 35a05351f62bcf54fb9275bacb32c9d150714b66df22388c886b40cd25bf7ea1
                                                                      • Opcode Fuzzy Hash: 564e52821af7cc422ccba78e2dbb8eaded8328702bddf3aa7fba8c7e9ce0e996
                                                                      • Instruction Fuzzy Hash: 4931B372F08612DBC716DE688894A6BBBE5BFD4250F014929FD55AF290DA70DC0187E1
                                                                      Function 015E8550 Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5c62c7d12e10096a1c216e4c576190e5e26bf9f3b741449599b2e3b61cd6bffb
                                                                      • Instruction ID: 06ce5b8d82c5d73814d1ce331682e27d421a3e29278eb9e17fb52289da110947
                                                                      • Opcode Fuzzy Hash: 5c62c7d12e10096a1c216e4c576190e5e26bf9f3b741449599b2e3b61cd6bffb
                                                                      • Instruction Fuzzy Hash: 3A31A171A053019FE324CF19D844B6BBBE5FB88B00F1449AEF9849B351D770E844CB91
                                                                      Function 0161A6C7 Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                      • Instruction ID: 36564cf11735adeebf8a1820c3a6bba113fb8ea29d0b96df19e4ea5bac73ec16
                                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                      • Instruction Fuzzy Hash: 98312CB6B01B41AFD761CFA9DD40B67BBF8BB08650F08092DA59AC3750E730E900CB64
                                                                      Function 0168EBD0 Relevance: .1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d52802b8d8544c5cb93ccd261d1c43ca7702296760f555e9e6ee9ebe8043e9de
                                                                      • Instruction ID: a9fa44be257070481e241552bd86a23346fd06d4e12bf516f46e273f4ad8aedd
                                                                      • Opcode Fuzzy Hash: d52802b8d8544c5cb93ccd261d1c43ca7702296760f555e9e6ee9ebe8043e9de
                                                                      • Instruction Fuzzy Hash: E731ACB1A09302DFCB11EF19C94095ABBF1FF89214F054AAEE4999B351D332D945CB92
                                                                      Function 0160438F Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3eb16469cc4ba9ef6696615decc0ced58cb99f634c9e96cc0c3cc038b887223b
                                                                      • Instruction ID: 880ee11d2cd87382b3caabe191c330a82805c2ecc901dd8f20259430ef65510f
                                                                      • Opcode Fuzzy Hash: 3eb16469cc4ba9ef6696615decc0ced58cb99f634c9e96cc0c3cc038b887223b
                                                                      • Instruction Fuzzy Hash: C131C232B012469FD729DFA9CD81A6FBBFAEF84304F018529D615D7294DB30E941CB91
                                                                      Function 015DCB7E Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                      • Instruction ID: edd7250839850f39d4332894a99352b3c257b6bef76abf3e4e764da159c45e63
                                                                      • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                      • Instruction Fuzzy Hash: C9210932E0125BAAEB119BB9C801BAFBBB5FF54740F0585799E55EB340E370D900C7A0
                                                                      Function 015DC156 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d615ae332c265e919585c4bcba0528d208dd265f63e8741d3fba0cac8c18a42a
                                                                      • Instruction ID: cffbed7a135932a1c7c8b64ad5faa206c28e2db5238ebf865ee471e2e27d9357
                                                                      • Opcode Fuzzy Hash: d615ae332c265e919585c4bcba0528d208dd265f63e8741d3fba0cac8c18a42a
                                                                      • Instruction Fuzzy Hash: 553149B19002118BDB32AF68CC44B7977B4BFC5304F9481ADD9459F382EB74D986CB90
                                                                      Function 0169C3CD Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                      • Instruction ID: 02d6c8f971d40203d2b0e5e10199f0acb637c0797cc78224bb627ab1ff9c3b94
                                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                      • Instruction Fuzzy Hash: 6C212D3670065267DF15AB958C00ABEBBB9EF40B10F40801EFA558B691E734D940C7B4
                                                                      Function 015DE420 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cdee37df40c445b248f94d99f90f804ab2529010390feccd83d593016845b802
                                                                      • Instruction ID: 6bf3faa4e4a8a8a104cca312502110aa089431c3c60d05a5baf9d436b10212d7
                                                                      • Opcode Fuzzy Hash: cdee37df40c445b248f94d99f90f804ab2529010390feccd83d593016845b802
                                                                      • Instruction Fuzzy Hash: 8531C231A015299BDB319E1CCC42FEE77B9FB55780F0105A5E645AF290E6749E808FA0
                                                                      Function 01614588 Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                      • Instruction ID: 957f0e3d40f6f22f6a218db4084672fd41c2498c0feb3f9715e8f6eae6dabdc4
                                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                      • Instruction Fuzzy Hash: A8216031A00719EBCB15CF68C980A8EBBA5FF48758F14C469EE159F245DB71EA05CB90
                                                                      Function 016144B0 Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 46ad760ad209874034690f2a277ee8a5d85103bbab4545149e8331b44c0fc43b
                                                                      • Instruction ID: 2520af614ade53428b5305c747475d5f580eb9ef185d03d69d84079092b85fa6
                                                                      • Opcode Fuzzy Hash: 46ad760ad209874034690f2a277ee8a5d85103bbab4545149e8331b44c0fc43b
                                                                      • Instruction Fuzzy Hash: 9521BF726087469BCB22CF58CC80B6B77E5FB88760F058529FD549B785DB30E901CBA2
                                                                      Function 015DE388 Relevance: .1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                      • Instruction ID: 3e2360fcfc169f0176dd57c96900835b8355058500e442c93df2229db990c574
                                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                      • Instruction Fuzzy Hash: DA316831600605AFEB21CBA8C885F6AB7F9FF85354F1449A9E552CF290E730EA42CB50
                                                                      Function 0165E609 Relevance: .1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 83122da8923dde3c23269b672251859da11661ac05dad05d7bbf06c58149af34
                                                                      • Instruction ID: 1e94dfacb2c05c1ec16f3a24f685015fbe48898d713fc595a9aefd3845c8f1c8
                                                                      • Opcode Fuzzy Hash: 83122da8923dde3c23269b672251859da11661ac05dad05d7bbf06c58149af34
                                                                      • Instruction Fuzzy Hash: 2E317E75A002169FCF54CF1CCC849AEBBB5EF84344F16445AEC099B391EB32EA51CBA5
                                                                      Function 016606F1 Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d032c8c9b524f4717f2d4c8640726c1d111e68c038fee9e4e593c9e7e6b5dd83
                                                                      • Instruction ID: 51610f26e40b53a41939c5536209cf844bb259710b442c41e4ae2d7d06d0948d
                                                                      • Opcode Fuzzy Hash: d032c8c9b524f4717f2d4c8640726c1d111e68c038fee9e4e593c9e7e6b5dd83
                                                                      • Instruction Fuzzy Hash: 4F217E71E0062A9BCF249F59CC81ABEBBF8FF48740B510069F541AB240D778AD51CBA1
                                                                      Function 0166019F Relevance: .1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1c1f2a31b7f8100d28743c49eeca2a8132d3c913ebcb0a063822236a7b220d8
                                                                      • Instruction ID: 2e7b01be42ce2302523ceccb3834efb89b0640597e9bce08bcfc861155a85cdb
                                                                      • Opcode Fuzzy Hash: e1c1f2a31b7f8100d28743c49eeca2a8132d3c913ebcb0a063822236a7b220d8
                                                                      • Instruction Fuzzy Hash: 69217A71A00645ABD7159BA8DC40A6AB7A8FF88740F144069FA04DB790D738ED40CB68
                                                                      Function 01660283 Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fffcc579ad12fa8698d2ef5ec3c85e4803939596a66928568ac6bad0055c8d41
                                                                      • Instruction ID: 62b541cefe23b11669e5aaf061733afddcf8aa6625e62487a8976394f23b0c6a
                                                                      • Opcode Fuzzy Hash: fffcc579ad12fa8698d2ef5ec3c85e4803939596a66928568ac6bad0055c8d41
                                                                      • Instruction Fuzzy Hash: CD21AF729042469BE712EF59CD44B6BBBDCBF90240F08486ABA80DB291D734D905C6A2
                                                                      Function 01602835 Relevance: .1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bab468a110cbe56b4ae487745d9a937da2fd4029ee90d8965491413693612566
                                                                      • Instruction ID: 498faee9809bfafb719eec331edb7fd66e4d0cc31e4ecef8969861d4fa1ecbe4
                                                                      • Opcode Fuzzy Hash: bab468a110cbe56b4ae487745d9a937da2fd4029ee90d8965491413693612566
                                                                      • Instruction Fuzzy Hash: C4213B32744682ABF327576C8D18B253B95BF41770F2903A8FA619F7D2DB68C801C210
                                                                      Function 0161A30B Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ec52f65c7407265528c54e2237af7650e775e75c3b4316f45e0b0abc120481f6
                                                                      • Instruction ID: fdb453fb10183ce433d938c6f8da96b99c2843d7c78792e79d9d37cc88764774
                                                                      • Opcode Fuzzy Hash: ec52f65c7407265528c54e2237af7650e775e75c3b4316f45e0b0abc120481f6
                                                                      • Instruction Fuzzy Hash: 9921AC35641A429FCB25DF69CC01B56B7F5BF48708F14846CE51ACBB61E331E842CB94
                                                                      Function 0169A49A Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cc2ab028527b0f303539867b2be1dc5cd87b05d9a4e2de17830270f46ca564bb
                                                                      • Instruction ID: a224db33eb588717c2e302d87fd585a4244130d6cf671b9a74506371e55539df
                                                                      • Opcode Fuzzy Hash: cc2ab028527b0f303539867b2be1dc5cd87b05d9a4e2de17830270f46ca564bb
                                                                      • Instruction Fuzzy Hash: 2111E372380A12BFEB2256999C41F277ADEDBD4B60F110468B758DB280EF70DC018795
                                                                      Function 01660946 Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5af2e9490dd273c801df30823f61d92a9e0acfc3383a855592c2656dee294a31
                                                                      • Instruction ID: 0bfd9ab8b8bc62aa03d72339fb6cb0e2488f36c8d8f6385198ca1afd0e43195d
                                                                      • Opcode Fuzzy Hash: 5af2e9490dd273c801df30823f61d92a9e0acfc3383a855592c2656dee294a31
                                                                      • Instruction Fuzzy Hash: 2C21E6B1E41259ABCB24DFAAD9809AEFBF9FF98610F10012EE405A7340DB709941CF54
                                                                      Function 016780A8 Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                      • Instruction ID: cfe50b5608cb16fe0904a9aca9e563f917fddcde698436db9ffff605c7b06707
                                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                      • Instruction Fuzzy Hash: 22216A72A0020AAFDF129F98CC44BAEBBBAFF88311F214859F914A7251D734DD51CB50
                                                                      Function 01610124 Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                      • Instruction ID: 4c083f76ebf16436be14daf8af5c21a6e76170da8ec5241dcd1735e199f80ba7
                                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                      • Instruction Fuzzy Hash: 87113433600605BFDB228F98CD42F9ABBB9EB80755F140069F6008F280D774ED80CB50
                                                                      Function 015E8770 Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0bfe0765e16f353854dc7feb884266c1578df22770f569e41bc4ac8fc287b370
                                                                      • Instruction ID: c17e6d3db4c4831b9fc9f2de6ab0d3886f332deb1bb2b9561c026842812143a3
                                                                      • Opcode Fuzzy Hash: 0bfe0765e16f353854dc7feb884266c1578df22770f569e41bc4ac8fc287b370
                                                                      • Instruction Fuzzy Hash: 9F11C135F406119BDB19CF4DC4C4A2ABBE9BF8A710B1980ADEE099F205D6B2D901C790
                                                                      Function 0161AAEE Relevance: .1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                      • Instruction ID: e37591dec14a14a69f7792c3d041306856ec9ce11f26511e15506079c2910cf4
                                                                      • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                      • Instruction Fuzzy Hash: 932179726016C1DFDB368F89C940A66BBE6FB94B10F19887DE94A8B714C730EC01CB80
                                                                      Function 015E80E9 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0cca6ad22ada7d94dd01c731cd0323174607679f22995a819689f5eaf931b894
                                                                      • Instruction ID: 3c8d1c5723ebf630001bbb78fb1a3c74760f5df832442863d5ed89cce83cb287
                                                                      • Opcode Fuzzy Hash: 0cca6ad22ada7d94dd01c731cd0323174607679f22995a819689f5eaf931b894
                                                                      • Instruction Fuzzy Hash: D7215B75A40206DFCB18CF98C591AAEBBF5FB88318F24456DD105AB311DB71ED06CB90
                                                                      Function 0161674D Relevance: .1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 714fb72e3611f927bbbb5212189ad70fdea86b1492f33a5c9ed4ba41d1adb576
                                                                      • Instruction ID: f17bbf01ef4120badf3ea5019f616ec46e7962fcf994418c0eb2459b8d774de0
                                                                      • Opcode Fuzzy Hash: 714fb72e3611f927bbbb5212189ad70fdea86b1492f33a5c9ed4ba41d1adb576
                                                                      • Instruction Fuzzy Hash: EF218E75611A01EFD7608F69CC41B76B7F8FF84250F08882DE5AAC7260EBB0E850CB60
                                                                      Function 01676870 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 151f44e2ce0a34e1ebc881bd1cc44163709a8b7c19f6126e0ce4c533c40a06bc
                                                                      • Instruction ID: 0f319f479ee104ecc59960d3293a71882a8a6c09e75195cd7becb16364231f74
                                                                      • Opcode Fuzzy Hash: 151f44e2ce0a34e1ebc881bd1cc44163709a8b7c19f6126e0ce4c533c40a06bc
                                                                      • Instruction Fuzzy Hash: CD119132250A16EFE722DB59CD40F9A77A8EF99650F114069F205DB251DA70ED05C7A0
                                                                      Function 0160E8C0 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d9e516d69d40a1d8bed5725934596c5ccfade2a4cf7e8a4ebc3e4e750d04cc45
                                                                      • Instruction ID: 8725ab4ffffe2525f301056b0cd2c9176278ac4891addbe8967fa97016065ad0
                                                                      • Opcode Fuzzy Hash: d9e516d69d40a1d8bed5725934596c5ccfade2a4cf7e8a4ebc3e4e750d04cc45
                                                                      • Instruction Fuzzy Hash: 991108737001259FCB1ADB29CC85A7B7257EFD5370B254929D9228B390EA319802C694
                                                                      Function 016166B0 Relevance: .1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f743b7441f0251b558262013d487e719652a5235176f952d206863ae340ebb00
                                                                      • Instruction ID: d3d347ef6335016a85381d43cb44aaf0b8c8a5873b3d13f2d737b54f4bc2e16e
                                                                      • Opcode Fuzzy Hash: f743b7441f0251b558262013d487e719652a5235176f952d206863ae340ebb00
                                                                      • Instruction Fuzzy Hash: 0411C17AA01205DFCB25CF59CD80A6ABBF4AF94610F0A407DD905DB318E7B0DD00CB90
                                                                      Function 016AA8E4 Relevance: .1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                      • Instruction ID: a33e7ce14995c8654eb0ab34134755f133309a49df13e79b0491454f92a26250
                                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                      • Instruction Fuzzy Hash: 29110436A10906AFDB19CB58CC01B9DBBB6FF84310F058269EC4697380E631FD01CB80
                                                                      Function 015E0AD0 Relevance: .1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                      • Instruction ID: ad96b7c25f048205483827941a21c8bf1ca17315d198026da1961bdef94974aa
                                                                      • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                      • Instruction Fuzzy Hash: 7821F4B5A00B059FD3A0CF29D440B56BBF4FB48B10F10492EE98ACBB40E371E814CB94
                                                                      Function 0166E7E1 Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                      • Instruction ID: 9899771fd7b5017323cfcf603867b0513aac4fd327b8ceef1c6120d6e9b66933
                                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                      • Instruction Fuzzy Hash: 9C11A339610601EFE721DF49CC44B567BE9EF85754F06842CEA0A9B250D732DC41DB90
                                                                      Function 016027ED Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8f72b1555581b28a4656bac3d3cffe3eefcc7930f77962a41da86b4ccc7e007a
                                                                      • Instruction ID: 9d17950c64237f7c8becd5d5d11133e3ac4fc1c80947ee58cbaf89dfe1615082
                                                                      • Opcode Fuzzy Hash: 8f72b1555581b28a4656bac3d3cffe3eefcc7930f77962a41da86b4ccc7e007a
                                                                      • Instruction Fuzzy Hash: 07012676685685ABF31BA2ADDC58F276B8DFF80394F060078FA018B380DA24DC05C271
                                                                      Function 015E4690 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 532e296779ac337b6a02ca76600f0b57740fbcf7edfa9bf8ac6698493478af16
                                                                      • Instruction ID: 20c77e4df5c645ff27b5679b923c9d5f68803452fa2659cd0e3dcdd94b535fa8
                                                                      • Opcode Fuzzy Hash: 532e296779ac337b6a02ca76600f0b57740fbcf7edfa9bf8ac6698493478af16
                                                                      • Instruction Fuzzy Hash: 9D11E036A84745AFDB29CF59D888B5A7BE4FB85764F104519FA05CF240C770E841CFA0
                                                                      Function 016B4B00 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05e7b69143b95e64d3211887c424e311b49e9d7a331a33b46ad7b4e40224a6ba
                                                                      • Instruction ID: 4078bf7e3bf8c9883bc9cb089eda74094a8bdab309f81c3e135e4b40b90869ef
                                                                      • Opcode Fuzzy Hash: 05e7b69143b95e64d3211887c424e311b49e9d7a331a33b46ad7b4e40224a6ba
                                                                      • Instruction Fuzzy Hash: B111A0362006119BDB229A69DC80FA6BBA6FFC4751F154529EB83C7791DF30A842CB90
                                                                      Function 01616620 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd8d6dcb6da5197ddf582282ffa93c67d638a9783f48940cb0346d46b21e3050
                                                                      • Instruction ID: 68ee84998a1c7321868c4f89f1326c246a80a490726f07aaf036410f7cd37af5
                                                                      • Opcode Fuzzy Hash: cd8d6dcb6da5197ddf582282ffa93c67d638a9783f48940cb0346d46b21e3050
                                                                      • Instruction Fuzzy Hash: A011827AE00626ABDB21DF59CD80B5EFBB8FF88750F550859DA01AB305D770AD01CB91
                                                                      Function 0160EA2E Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e3a47ff8fa7ae11d21c86f81ef9c434db260aeface03237cee3e23bb250e1608
                                                                      • Instruction ID: a02de2a50d5981d29b96ea864a71cedf29a72ad42d3225fb483ae370dfba0e06
                                                                      • Opcode Fuzzy Hash: e3a47ff8fa7ae11d21c86f81ef9c434db260aeface03237cee3e23bb250e1608
                                                                      • Instruction Fuzzy Hash: 65019671A011069FC72ADF19DD44F16BBF9FBC5314F21456EE1058B660C7B19C81CB94
                                                                      Function 0160E53E Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                      • Instruction ID: c6b4fb8058b2e0467087f20929bf0ead474507f546939f4ed81617442feb8014
                                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                      • Instruction Fuzzy Hash: C311E1722016D2DBE723972CCD54B267B94BB41788F1908E0EE41DB7D2F72AC882C260
                                                                      Function 0166E75D Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                      • Instruction ID: c98e1bcffb8d77aef39b5a61239d3a68b99cee13eeaa34be16f299132549710a
                                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                      • Instruction Fuzzy Hash: CD01803A700206AFEB25DF59CC04B6A7EADEB85B50F158428EA059B260E77ADD41C790
                                                                      Function 015DA250 Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                      • Instruction ID: 93c5a668c8347499c723d854dc6e31964dbaac17a86359ced22a982790564602
                                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                      • Instruction Fuzzy Hash: 7301C072505B229BDB318F1E9840A2B7BE9FB55B607008A2DF995CF681D731D800CBA0
                                                                      Function 016B4940 Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a29176e81da687f0c584db813885be69dfddeda3ee843158619c71d039e49125
                                                                      • Instruction ID: c65ef2debe8523b5bc5c04675638482f9f831b1b0be1a139cb967149daa289e4
                                                                      • Opcode Fuzzy Hash: a29176e81da687f0c584db813885be69dfddeda3ee843158619c71d039e49125
                                                                      • Instruction Fuzzy Hash: 940126724412129FC332EF1CCC80E96B7A8EF81370B154219EA6A9B293DB30D841C7C0
                                                                      Function 0165E1D0 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1af763c1fd02c9d383019f7cc08351599c4b6c6916b1d61376d7ad852b1569c3
                                                                      • Instruction ID: 1dc69773fbed01a1199e2dd981cec034026b6cee5e4c64e02c18a3c40cc5956f
                                                                      • Opcode Fuzzy Hash: 1af763c1fd02c9d383019f7cc08351599c4b6c6916b1d61376d7ad852b1569c3
                                                                      • Instruction Fuzzy Hash: 22118E31641641EFDB15AF19CD90F16BBB9FF94B84F100069E9059B651C635ED01CA90
                                                                      Function 015E6259 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 74b579ba8a0bc2f29c17a8894870d9a5fe89213701dbdd044ce95f786219875f
                                                                      • Instruction ID: c54ef4823bace91e88a7a75ca30eb51d91fd806f6f8baf0c3767fbe8998e1dc0
                                                                      • Opcode Fuzzy Hash: 74b579ba8a0bc2f29c17a8894870d9a5fe89213701dbdd044ce95f786219875f
                                                                      • Instruction Fuzzy Hash: B8117071941629ABDB25EB64CC61FED73B5BF18714F5041D8E314AA1E0D7709E81CF88
                                                                      Function 01666050 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08ab63c5fdc7855f5fb1db95ea7a550a3cbd7aeb7a976312c992cb67e82cbb80
                                                                      • Instruction ID: bf757d2feb8071b87e72fa89c40cd28aba461c87bb5d1b99a3f979c28d30a4af
                                                                      • Opcode Fuzzy Hash: 08ab63c5fdc7855f5fb1db95ea7a550a3cbd7aeb7a976312c992cb67e82cbb80
                                                                      • Instruction Fuzzy Hash: 59112973D00019ABCB11DB94DC80DDFBBBDEF48254F044166E906E7211EA34EA15CBE0
                                                                      Function 015E208A Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                      • Instruction ID: 34321acb7346b7f47820b9876fb5786f9698cf58da2adf83aaa9c2f8314050b4
                                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                      • Instruction Fuzzy Hash: C401F572A011018BEF198A5DDC84A967BEBBFC4700F1545A9ED058F28ADA71CC81C390
                                                                      Function 01676500 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 02a02a260a22cfb9c91aaaa9b7b9ba74685c531c640fb3f65c8ab000d442b06a
                                                                      • Instruction ID: 6636a4860a7f3a5858b7bf18934cfc47c2c6b4527e8f236f9f5f41e433871c63
                                                                      • Opcode Fuzzy Hash: 02a02a260a22cfb9c91aaaa9b7b9ba74685c531c640fb3f65c8ab000d442b06a
                                                                      • Instruction Fuzzy Hash: B611A1326445469FE711CF68D800BA6BBB9FB9A314F088159E949CB315D732EC81DBA0
                                                                      Function 0166C810 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 51f105001ada2449522a575054818fcd3cbd21e1a5783b4b1302d30e0e2b985e
                                                                      • Instruction ID: 6a7ad8a7d06a92af4ddc1e82d73d8d4c1661039760832723eda70239f4371cd5
                                                                      • Opcode Fuzzy Hash: 51f105001ada2449522a575054818fcd3cbd21e1a5783b4b1302d30e0e2b985e
                                                                      • Instruction Fuzzy Hash: D51118B1E006199BCB00DFA9D941AAEBBF8FF58350F10406AE905E7351D674EA01CBA4
                                                                      Function 0168EA60 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e748a465ddc087866885872d6006a1a776b3838a189e15c39efd1d852aa84870
                                                                      • Instruction ID: 3ea01713e749a9dd8355b066b45293abf073b62de01c22de7601cd320269db8a
                                                                      • Opcode Fuzzy Hash: e748a465ddc087866885872d6006a1a776b3838a189e15c39efd1d852aa84870
                                                                      • Instruction Fuzzy Hash: 9901B1715402129BCB32BF19CC44D36FBA9FF92A50B05452EEA555F311CB22DC42CB91
                                                                      Function 015DC020 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                      • Instruction ID: 6c6978770460e79238ec40d255229b0af5b24ce8680e8fc8d28ced9d0885123b
                                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                      • Instruction Fuzzy Hash: 6F01B532100705DFEB3296ADCC40AAB77EEFFC5254F44881DA6468B680DA70E442C750
                                                                      Function 016220F0 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a94c81667d4361a25ddc511df45892775c15ba35d7e382ef536b23224d72d2ea
                                                                      • Instruction ID: 6504a54127e5b7e3c13910f009d69d66521f60df7fa77442dfe69975235cf23c
                                                                      • Opcode Fuzzy Hash: a94c81667d4361a25ddc511df45892775c15ba35d7e382ef536b23224d72d2ea
                                                                      • Instruction Fuzzy Hash: 72116935A0165DAFDB15EFA8CC54FAE7BBAFB44384F10405DEA019B290DA35AE11CF90
                                                                      Function 0161E5CF Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9a72c7a63e5386ce46bc66fb6cad44ad876c8e43815180c513347d947dae2cef
                                                                      • Instruction ID: ae65122a2f81f749d4d3c05fef15bc7053e8086193c5205c2f9046cd9b8b0230
                                                                      • Opcode Fuzzy Hash: 9a72c7a63e5386ce46bc66fb6cad44ad876c8e43815180c513347d947dae2cef
                                                                      • Instruction Fuzzy Hash: D601F7B1610903BFD311AB3ACD44E13B7ACFF95794B01062DF6058B651DB24EC01C6E0
                                                                      Function 016769C0 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 116cd584e3fee1b6777bf95cf5606daa9de3c3e5e10b67c7b8d8770c42e023fb
                                                                      • Instruction ID: 0718709696142948aa3b8436c420ccb79e4041698c18de63bf3be4fda67b6dda
                                                                      • Opcode Fuzzy Hash: 116cd584e3fee1b6777bf95cf5606daa9de3c3e5e10b67c7b8d8770c42e023fb
                                                                      • Instruction Fuzzy Hash: C201D832614A129FD324EF6EDC489A6BBA8FB98660F114129ED5987280E7309915CBD1
                                                                      Function 0166C460 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 269a499603706e7bdd0e7679201f0e9cffecda117a1d7811a05dccdee85cb1ce
                                                                      • Instruction ID: d086cc4a24f8455b7ef8baeb9c91a2ea70b5b001d5ae7ceeafbc25bae03e8eab
                                                                      • Opcode Fuzzy Hash: 269a499603706e7bdd0e7679201f0e9cffecda117a1d7811a05dccdee85cb1ce
                                                                      • Instruction Fuzzy Hash: 77111775A01609EBDB15EFA8CC44EAE7BBAFB98350F004099F94197390DA35EA11DB90
                                                                      Function 0166C97C Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dfb0b472f7cf6dfcbb37ba408b109df81d38ed56ad57a990efd9ecb9c6339eca
                                                                      • Instruction ID: c61da6f724ab5487f60e7539974d7b2ada26cbfc067f1b20f28da194bf69692f
                                                                      • Opcode Fuzzy Hash: dfb0b472f7cf6dfcbb37ba408b109df81d38ed56ad57a990efd9ecb9c6339eca
                                                                      • Instruction Fuzzy Hash: 33117C71A047459FC700DF69C84195BBBE8FF98310F00451EF998D7390D630E900CB96
                                                                      Function 0166CA11 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 612acf2589be0703c585d9e781ff049d8db6e81fd7291666d2d0eb68080e71a9
                                                                      • Instruction ID: df586978cf9e8fd8744d52d08a99b57d3f905219c08064355923cd163deb1365
                                                                      • Opcode Fuzzy Hash: 612acf2589be0703c585d9e781ff049d8db6e81fd7291666d2d0eb68080e71a9
                                                                      • Instruction Fuzzy Hash: DC117C71A047059FC300DF69C84194BBBE8FF99350F00451EF998D7394E630E900CBA6
                                                                      Function 015FE016 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                      • Instruction ID: 5971a1ab6ce26683f02b4ab96d66714bba49f42476c2e8e77c0ca16f5bf87545
                                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                      • Instruction Fuzzy Hash: E20178722006809FE322861DC948F2A7BEDFB84794F0A04A9FA05CF6A1D778DC40CA25
                                                                      Function 015D826B Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 31b7eb6f686a17a5520f1af912d4fdb74d3f8792a9edfe3e467e4b0ab5f4d9c5
                                                                      • Instruction ID: ed85e7018ab030286d1acf9fcf4597bd43b8db5c03795a52bdc68e7dbc734513
                                                                      • Opcode Fuzzy Hash: 31b7eb6f686a17a5520f1af912d4fdb74d3f8792a9edfe3e467e4b0ab5f4d9c5
                                                                      • Instruction Fuzzy Hash: 2101D431B00505DFC724EB6DDC409AE77E9FF81220B0A4469D902AB244EE20D801C791
                                                                      Function 0168EB50 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 9561699e28e889af99fb31d49513e36f67adcc413405f8ccb20f92330600f764
                                                                      • Instruction ID: 6855adf4142371d5676fd903ecaa376d186ac7e6e28e595b91285d3244822dc3
                                                                      • Opcode Fuzzy Hash: 9561699e28e889af99fb31d49513e36f67adcc413405f8ccb20f92330600f764
                                                                      • Instruction Fuzzy Hash: 8D018FB1781A02AFD3316F19DD40F16BAA8AF55B50F01482EE70A9F390D7B1D8418B58
                                                                      Function 015E2582 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7e91c2b496bfe7edae979dcf9817fb6faa9fd19b132986ea6305f86eec10d9e7
                                                                      • Instruction ID: 18b2bbdce9705c3c5da575c58bc8048e363f8e9207ce0d8d007297b525a18f57
                                                                      • Opcode Fuzzy Hash: 7e91c2b496bfe7edae979dcf9817fb6faa9fd19b132986ea6305f86eec10d9e7
                                                                      • Instruction Fuzzy Hash: 63F0F472A41B11BBC7359B5A8D44F07BEEDFFC4B90F114429A6069F600DA30ED01CAA0
                                                                      Function 0160C073 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                      • Instruction ID: 52652bfc0451995940c8034a74cfe3e98744d02531d7baacf626fa2aa8f7b1ea
                                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                      • Instruction Fuzzy Hash: C9F0C8B2600615ABD325CF4DDC40E57FBEADBD1A80F04856CE615C7320E631DD04CB50
                                                                      Function 016B634F Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c76613a3edd0d851333a3403a86ddeadecadeda9b5fc5618fe56bd77486eba1
                                                                      • Instruction ID: e84bddd106df27c706df98018733c837d264904d58804d907b6306b4d2b6d67a
                                                                      • Opcode Fuzzy Hash: 3c76613a3edd0d851333a3403a86ddeadecadeda9b5fc5618fe56bd77486eba1
                                                                      • Instruction Fuzzy Hash: F8012171E11619EBDB04DFA9D951A9EB7F8FF58304F10406AE904EB350D7749A01CBA4
                                                                      Function 015DC310 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                      • Instruction ID: 433d78508368a85ff878a9017010a77f9ae198dcaeaf940085dca3491b270968
                                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                      • Instruction Fuzzy Hash: 19F02B73258A339BD7325A9D8840B6FAAD5FFD1A64F1A007DF2099F244CE648D02E7D0
                                                                      Function 016B625D Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5643d78a9edf4cfcfa5c038a40d2f6a39e85c601527b28e8c43b735ac9e396a4
                                                                      • Instruction ID: 6eb9dc77c9fa8c970cdde38b7608403f7ef971326eb963b408bb7e9ae0169dcc
                                                                      • Opcode Fuzzy Hash: 5643d78a9edf4cfcfa5c038a40d2f6a39e85c601527b28e8c43b735ac9e396a4
                                                                      • Instruction Fuzzy Hash: E2012171E1061AEBDB04DFA9D851AAEB7F8FF58344F10805AF904EB351D6749901CBA4
                                                                      Function 016B62D6 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aa4cba7b0e4c03fdd31d0a426ae72dc8d6c85c92974249419641edf8afbd9633
                                                                      • Instruction ID: 59ac34dcca99d6b7188cea4a307ec46086d97d09539b3bc68e78c74199e16248
                                                                      • Opcode Fuzzy Hash: aa4cba7b0e4c03fdd31d0a426ae72dc8d6c85c92974249419641edf8afbd9633
                                                                      • Instruction Fuzzy Hash: 9C012171E01219EBDB04DFA9D841A9EBBF8FF58304F50405AE914EB390D674D901CBA4
                                                                      Function 0161CA6F Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                      • Instruction ID: 3e8a209863417396007c268404d50e3b97897da3518b7e7461075124d52acb2b
                                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                      • Instruction Fuzzy Hash: 8901AD322416859BE323971ECD05B59BF9CEF81750F0C40A9FE448BBA1D769C801C210
                                                                      Function 016B61E5 Relevance: .0, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3444468dd6ee99be8731ca7a17349c5840d222d558af2473d515df0e584ca73
                                                                      • Instruction ID: 9d2fcdc528d9b4bb7b4a62e53a3dd6f581887379ddab1e3533f08e619d0d2144
                                                                      • Opcode Fuzzy Hash: a3444468dd6ee99be8731ca7a17349c5840d222d558af2473d515df0e584ca73
                                                                      • Instruction Fuzzy Hash: CF012C71E016599FDB14DFA9D845AEEBBB8BF58310F14405AE501AB380DB74EA01CBA8
                                                                      Function 016663C0 Relevance: .0, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                      • Instruction ID: d154a68f313ad2c36cd26cebc280fece81c8607a407a5079b3d65ac8603a9955
                                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                      • Instruction Fuzzy Hash: 7CF01D7220001EBFEF029F95DD80DAF7B7EFF59298B114129FA1196160D631DE21EBA0
                                                                      Function 0166A4B0 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 241eddff429c142e4297642fb8c135fd45c133f598acf9debef7cc963da45fcd
                                                                      • Instruction ID: cd7f7f8ccb3f9c18b8a5cce037dbd2c8ec34d1e539f142177c4adecdbe8173fb
                                                                      • Opcode Fuzzy Hash: 241eddff429c142e4297642fb8c135fd45c133f598acf9debef7cc963da45fcd
                                                                      • Instruction Fuzzy Hash: 81019736511259ABCF129F84DC40EDE7F6AFB4C764F068105FE1966220C732D971EB81
                                                                      Function 015DC0F0 Relevance: .0, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fde7fe346c96c5bc597d1255b1045cab55ea1c969dd2aea00b40624114679d65
                                                                      • Instruction ID: df5bafb922c84c6002b25c416a1c79172ee3310c4c6c48482eef1ae76c383607
                                                                      • Opcode Fuzzy Hash: fde7fe346c96c5bc597d1255b1045cab55ea1c969dd2aea00b40624114679d65
                                                                      • Instruction Fuzzy Hash: 2BF024716042626BF73496AD8C42B6232DAFBC4650F25842EEB098F2C1E970DC01C3A4
                                                                      Function 0161656A Relevance: .0, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8805837cf79eda02a782f93cef8dde54b64263e70fca0e75c4bfe625bdb344b0
                                                                      • Instruction ID: d6d9fa4fd39f4b76387d9d525664f6282db416e92575c3aedcab7d24b6ca096d
                                                                      • Opcode Fuzzy Hash: 8805837cf79eda02a782f93cef8dde54b64263e70fca0e75c4bfe625bdb344b0
                                                                      • Instruction Fuzzy Hash: 610144756016819BF362976DCD48B2537A8BB40B44F484194FA01CBBEAEB68D442C624
                                                                      Function 0168437C Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                      • Instruction ID: 4bc1bf1b61b57e5102c9b00a0dc97bc9deb4491835b09eeea585abbf45c6a86b
                                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                      • Instruction Fuzzy Hash: 4AF08235341E2357EB76BA2F9C20B2EBA96AFA0A50B09072C9655DB780DF60D8018790
                                                                      Function 0166E872 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                      • Instruction ID: 691c3101c5f56691baf2cecd1d1347b99a6f2afdbb983fde94d7b64351545271
                                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                      • Instruction Fuzzy Hash: A8F05E36B516129BE721DA4ECC80F16B7ACBFD5A60F1B016DA6049B360C762EC02C7D0
                                                                      Function 0166C89D Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 04b336c98e17038807aefc88783eca45748ea62113543f002deb91b7483f362f
                                                                      • Instruction ID: dcefc2921ac8cd40eb8621733c45d975c2d73796d37b706d2f9e06642766ddee
                                                                      • Opcode Fuzzy Hash: 04b336c98e17038807aefc88783eca45748ea62113543f002deb91b7483f362f
                                                                      • Instruction Fuzzy Hash: CBF0AF70A057449FC320EF28C841A1ABBE4FF98710F40465EB898DB394EA34E901CB96
                                                                      Function 01610854 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                      • Instruction ID: db811055465241bf195ddb465667561ccb497b6ba8f32c69e201518c0181423b
                                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                      • Instruction Fuzzy Hash: F1F0F072610201EEEB24DF25CC00F46B6E9EF98344F2980A8AA44CB2B4FAB0DD41C654
                                                                      Function 0166C912 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4e4146b6b4f26b8d368c011f307655278ae3deb4d5614bee0d2e42daa29f713
                                                                      • Instruction ID: 78d0c08230e3a23cb7dc796c52e3c6dd6438024c314943ccfd9907ac1b0fe883
                                                                      • Opcode Fuzzy Hash: b4e4146b6b4f26b8d368c011f307655278ae3deb4d5614bee0d2e42daa29f713
                                                                      • Instruction Fuzzy Hash: 60F0C270A01609DFCB04EF69C911E9EB7B4FF18300F008059F945EB385DA38EA01CB64
                                                                      Function 015E47FB Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c60373364914fd4a37cf1122f2ac4fd9999ac69443a87786fd3a1f4a21d27bae
                                                                      • Instruction ID: 498648e13c67cce9c61397ab105e9086d256d9e37802ca4892ba2d92ee53241a
                                                                      • Opcode Fuzzy Hash: c60373364914fd4a37cf1122f2ac4fd9999ac69443a87786fd3a1f4a21d27bae
                                                                      • Instruction Fuzzy Hash: DEF0BE31D1E6E59FE73ACB6CC4ACB69BBD4BB00620F09896AD589CF502C724D880C650
                                                                      Function 016A0115 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c93e098d78261bcf8db100246b960af7538b5dec098c397d610a7f02cc0afe51
                                                                      • Instruction ID: 0b4e1e520c1efd1a5903796ebae2282523983afbf7f368888257240324ba8385
                                                                      • Opcode Fuzzy Hash: c93e098d78261bcf8db100246b960af7538b5dec098c397d610a7f02cc0afe51
                                                                      • Instruction Fuzzy Hash: 84F02766C176C10BCF325B6CEC902D12F59A741018F492089D4A05B305C674AC93CBA4
                                                                      Function 0161C5ED Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: de29199e1f84ff280e3faf8a56c10a0d2b1ef23fb1d7bc01538feac106917e5e
                                                                      • Instruction ID: 36fe71e0328e30b7816c9b4c3cf236670f2629ba6ad18a672a781f6cb41d51ce
                                                                      • Opcode Fuzzy Hash: de29199e1f84ff280e3faf8a56c10a0d2b1ef23fb1d7bc01538feac106917e5e
                                                                      • Instruction Fuzzy Hash: C2F0E2715916719FE322D71CC998B5D7BE4AB807A0F0CAC25D50A87616C760E881CAD0
                                                                      Function 01622619 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                      • Instruction ID: 51983c13305b44c2cbfc31d78d5f847ee0dab6c267b9573b12f69026e6ff84e2
                                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                      • Instruction Fuzzy Hash: 08E0D872300A222BE7219E598CD0F577B6EEFD2B10F04047DF6045F252CAE6DC1986A4
                                                                      Function 01676030 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                      • Instruction ID: 9b0b6b8a9524680a58b6c530713784d4c90b33656eacbc411cbe2c2df7558c1b
                                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                      • Instruction Fuzzy Hash: 27F0A072100604DFF3228F09DE40F52BBF8EB15364F01C029E6089B660E379EC40CBA0
                                                                      Function 015E0710 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                      • Instruction ID: 2ba348584725bd0b1a15726e32afbfad1b607217717d0c4a898edf4295b8a404
                                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                      • Instruction Fuzzy Hash: E8F0E53A704341DBEB1ACF19C450A957BE8FB81350B000458F8428F381D775E982CB64
                                                                      Function 016149D0 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                      • Instruction ID: b8c7392e77034d8b5eda63ddc095d498d6946eacf63322a7a5e4bfeca7803d58
                                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                      • Instruction Fuzzy Hash: F1E0D833254245AFD3211E598C00B667BA6EBD07A0F1B0429EA00CB25CDF70DC41C7DC
                                                                      Function 016B4164 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4fa7d080bc79bf8150ed808674b35a6035b3a59b3b4edd5d05a6043d70e40223
                                                                      • Instruction ID: 0c55b4427c4b564652516ae1b5fe07b32d290689cd2072d3c17cd115d8b98471
                                                                      • Opcode Fuzzy Hash: 4fa7d080bc79bf8150ed808674b35a6035b3a59b3b4edd5d05a6043d70e40223
                                                                      • Instruction Fuzzy Hash: BAF06531E269918FE7B2D72CE9D4BE577E4AF50631F1A0554D4068BA13CB24DCC1C750
                                                                      Function 0168678E Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                      • Instruction ID: 99e6d750fc11655dfba0ac6fbbfe0c892a0dd1accbe072908fbf4850fb360600
                                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                      • Instruction Fuzzy Hash: 77E0DF32A00110BBDB21A799CD01FAABEACEB90FA0F050098B701EB1D0E630DE00C6D0
                                                                      Function 016B08C0 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                      • Instruction ID: b4f3b79fb0bcc5793f48bdb1d485e3f71d9259e0e8ac6c203d89fca5517222cf
                                                                      • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                      • Instruction Fuzzy Hash: 07E065316403509FCF258A19D980AD3BBBDDF95660F168469E90547712C331E982C790
                                                                      Function 015E25E0 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f59be1ffb5cee5a098bf7e30d6aac0540f2339ae263af2e1a2d70f6d4fa9c83f
                                                                      • Instruction ID: 5e4776ba2b78b69a26f7b47da9d1a7fd5e25ad633a7a8ded432fdb170165a485
                                                                      • Opcode Fuzzy Hash: f59be1ffb5cee5a098bf7e30d6aac0540f2339ae263af2e1a2d70f6d4fa9c83f
                                                                      • Instruction Fuzzy Hash: BBE092321009A69BC725BF29DD15F9A77DAFFA4364F014519F1159B190CB30A810CB88
                                                                      Function 0169A456 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                      • Instruction ID: edded162990734381b6aaa6488784c00c98652259c9b43298b6796730fcb01c3
                                                                      • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                      • Instruction Fuzzy Hash: 03E09231011A12DFEB366F2ACC58B527AE5BF90B11F148C2CE196025B0C77598D0CA44
                                                                      Function 01664000 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                      • Instruction ID: 601ef9acb785fa477c9cdef0bba76c26738f6e4846db81da60b36d6b6127f690
                                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                      • Instruction Fuzzy Hash: 3CE0C2343003168FE715CF19C440B627BBABFD5A10F28C068A9488F305EB32E842CB40
                                                                      Function 0161CA38 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1c70736c37b686c330ebe8a8d115cae2ab704e82799f00e3b8af6ec4a7a30d90
                                                                      • Instruction ID: 9fed4f1794dbf7ee381d80d781445d09d4b0ebff71130d7dd6b604b993f75212
                                                                      • Opcode Fuzzy Hash: 1c70736c37b686c330ebe8a8d115cae2ab704e82799f00e3b8af6ec4a7a30d90
                                                                      • Instruction Fuzzy Hash: 51D02B334D10716ECB37F5287C04FD73A59AB50360F098860FA08D2014D515CC8182C4
                                                                      Function 015D823B Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                      • Instruction ID: 71283bf6f9bf3269a8b316ac5eeed8916ab5b53a8cfc980fe326beab108e91af
                                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                      • Instruction Fuzzy Hash: 84E08C31100A22EEDB322F1DDC10B5176A6FFA4B21F11482DE0810A1A487B0A881CB48
                                                                      Function 015E2050 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aaa2e968b3a877b33a5a85f4fc37b0f387cce358cbbda1c376ca1a37b60a7166
                                                                      • Instruction ID: 641ccf23b8454e0dea8cb3b318f6b13d4818faac8db5654345bccae4abafa6ac
                                                                      • Opcode Fuzzy Hash: aaa2e968b3a877b33a5a85f4fc37b0f387cce358cbbda1c376ca1a37b60a7166
                                                                      • Instruction Fuzzy Hash: BAE08C325004A26BC715FA5DDD10F5A739EFFE4260F010225F1509B294CA60AC00CB94
                                                                      Function 01636AA4 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                      • Instruction ID: a09c7fb4e6971bc2e8e38d78bfd5fee3cf6c22fdb9e3cc3251281507ebb89d7d
                                                                      • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                      • Instruction Fuzzy Hash: A8D05E36511A50AFD7329F1BEE00D13BBF9FFC4A10706062EA54683A20C770A806CBA0
                                                                      Function 0161E59C Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                      • Instruction ID: 766049fc81cada3f5d91fe573cf22b5a0fb0660bea33d6d8a2c11b6d1adefe63
                                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                      • Instruction Fuzzy Hash: 53D0A932224621ABEBB2AA1CFC00FC333E8BB88760F060459B008CB150C360AC81CA84
                                                                      Function 0165E908 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                      • Instruction ID: 8ef0358931afe653d53acdcb0bd49f1cecca014ecc0b769e6279cd92c6774265
                                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                      • Instruction Fuzzy Hash: 04E08C319106819BDF52DF59CA40F4AFBF4FB94B00F150008A5085F220C325A900CB40
                                                                      Function 015DA0E3 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                      • Instruction ID: 504a394419a104a942ba5eab7a8333add069a316daa540d12198b2b8d7b3fe24
                                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                      • Instruction Fuzzy Hash: 62D0223322203293DF3856A9A810F676905BFC0A90F0A002C350A9B800C1048C82C3E0
                                                                      Function 0161A830 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                      • Instruction ID: 798e8c81ec44bc26c496deb17967500828e16304db8f93909bebe8adc5ea8c88
                                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                      • Instruction Fuzzy Hash: AFD012371E054EBBDB119F66DC01F957BA9FBA4BA0F454020B6048B5A0C63AE950D584
                                                                      Function 0161CA24 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 348308bef9444335ad99a62b811e2e4f0f73634fc4d4b8424ec94ef53543c4cf
                                                                      • Instruction ID: b4d7f9978e32f760cec3a451aec4b5b22cff47f0780e4532383b53c40fd0865f
                                                                      • Opcode Fuzzy Hash: 348308bef9444335ad99a62b811e2e4f0f73634fc4d4b8424ec94ef53543c4cf
                                                                      • Instruction Fuzzy Hash: 28D0A731556002CBDF57CF09CD20E2E3A74FF14740F44106CEF4052520D324DC11C600
                                                                      Function 015F02A0 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                      • Instruction ID: 000f776f535c293b046aebd0ec9fb8e7d36f8cccdbbaacdb5a6b7828db83fbec
                                                                      • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                      • Instruction Fuzzy Hash: 98D0C939252E80CFD71BCB0CC9A4B1933A4FB44B44F890494F501CBB62DA2CD940CA10
                                                                      Function 0161C700 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                      • Instruction ID: 00aea43265b15c1d24e29dc3099becf0ed9bb358da58be98ed359fe7a38a2712
                                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                      • Instruction Fuzzy Hash: DBC012322A0649AFDB12AA99CD01F027BA9FBA8B40F010021F3048B670C631E820EA84
                                                                      Function 01600310 Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                      • Instruction ID: 59a413a418a8948ab208ce73ccf4cdeb63a4da1bf0b787193427964c2212f447
                                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                      • Instruction Fuzzy Hash: 4DD01236100249EFCB06DF41C890E9B772BFBD8750F108019FD1907650CA31ED62DA50
                                                                      Function 015E0750 Relevance: .0, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                      • Instruction ID: 6c336e55a331adbd0f7de78626de7151f10e46f4c7f22d14132f9dfc356fd1a2
                                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                      • Instruction Fuzzy Hash: 04C04879701A428FDF16DB2AD694F4977E4FB94780F151890E905CBB22E724E801CA20
                                                                      Function 01624340 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 24f8f2fe1517a8a1385a1e3e263487d9258d6fdd81561b80d930ae0fd66e03fd
                                                                      • Instruction ID: 7e1b898d788f818832c5abbf37a13e93fd04308b17df047c2942f96694e16d8c
                                                                      • Opcode Fuzzy Hash: 24f8f2fe1517a8a1385a1e3e263487d9258d6fdd81561b80d930ae0fd66e03fd
                                                                      • Instruction Fuzzy Hash: 0A900231A0580012914075584C845874019A7E0301B55C111F4428654DCA148A576361
                                                                      Function 01624650 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d4d28ce3ba5d4a20c27670f86d174096c8083df4b05e7ae371fa6f3298c03f41
                                                                      • Instruction ID: 725f4271369b65f3cc37bed8a8cda3f6f83cc453420c853fc12b5d2cd36f2268
                                                                      • Opcode Fuzzy Hash: d4d28ce3ba5d4a20c27670f86d174096c8083df4b05e7ae371fa6f3298c03f41
                                                                      • Instruction Fuzzy Hash: FB900261A0150042414075584C044476019A7E1301395C215B4558660DC6188956A369
                                                                      Function 01622B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5eb9814fd03e2a09ce451630871a4541044afca3725e6102394a06c7b8c539b8
                                                                      • Instruction ID: 119f454aec3e1f0769b613b9e84411ff55839c1fcea223a15ef3740b23d64b2b
                                                                      • Opcode Fuzzy Hash: 5eb9814fd03e2a09ce451630871a4541044afca3725e6102394a06c7b8c539b8
                                                                      • Instruction Fuzzy Hash: E490026160240003410575584814657401E97E0201B55C121F5018690EC52589927225
                                                                      Function 01622BE0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4eb3be20b9243b52930b52faafc3462db28d5fbf4e80b3d286568c00e10f5801
                                                                      • Instruction ID: 1159db235640ac98f4e9d1ddd1a1108f23695ee711291f242311c31b103996f1
                                                                      • Opcode Fuzzy Hash: 4eb3be20b9243b52930b52faafc3462db28d5fbf4e80b3d286568c00e10f5801
                                                                      • Instruction Fuzzy Hash: B890023160544842D14075584804A87002997D0305F55C111B4068794ED6258E56B761
                                                                      Function 01622BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 27b8a40c44056aaaea340e6fbaa86d92b735123e8aaf1dc5763e7f03c345d032
                                                                      • Instruction ID: 582780dc4cbe9027a3cfcc94bfa719023b3f358872e2e4f63cd469382d794646
                                                                      • Opcode Fuzzy Hash: 27b8a40c44056aaaea340e6fbaa86d92b735123e8aaf1dc5763e7f03c345d032
                                                                      • Instruction Fuzzy Hash: 8890023160140802D1807558480468B001997D1301F95C115B4029754ECA158B5A77A1
                                                                      Function 01622BA0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e08539872ef7fb56abaf9f1799c797a184622e762fabbf953c617a85ff123abf
                                                                      • Instruction ID: bafddcc67570bddb99f47d98d03263116fcf627a32c8f1a4a78dfce8c7d53337
                                                                      • Opcode Fuzzy Hash: e08539872ef7fb56abaf9f1799c797a184622e762fabbf953c617a85ff123abf
                                                                      • Instruction Fuzzy Hash: FE900231A0540802D15075584814787001997D0301F55C111B4028754EC7558B5677A1
                                                                      Function 01622B80 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8df28d99798126962fbb3b16d3e31ec9e20259b8fc86e8e34fb1631ce5a1a1e7
                                                                      • Instruction ID: 4ce90f233dfa97549dc463fdd13c54a813f96a76a4b804871d8f16f78971c4c3
                                                                      • Opcode Fuzzy Hash: 8df28d99798126962fbb3b16d3e31ec9e20259b8fc86e8e34fb1631ce5a1a1e7
                                                                      • Instruction Fuzzy Hash: 1990023160140802D10475584C046C7001997D0301F55C111BA028755FD66589927231
                                                                      Function 01622AF0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6fd83bedb9c482c17bd871f7d7795df464648aae3eaa07fa7e24108c176ac3ca
                                                                      • Instruction ID: a82279eaef2d5856c494d71b4466d99d626a5478ee916a83462166739dda2116
                                                                      • Opcode Fuzzy Hash: 6fd83bedb9c482c17bd871f7d7795df464648aae3eaa07fa7e24108c176ac3ca
                                                                      • Instruction Fuzzy Hash: D6900225621400020145B9580A0454B0459A7D6351395C115F541A690DC62189666321
                                                                      Function 01622AD0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c052e1d47165896875402f43dafe319e107ea026f194ca7f28a563df4716d6ce
                                                                      • Instruction ID: 3fffe49c1c3974feff603bda7669d947b01112b311e8fd06bf8a87a8e1d679ca
                                                                      • Opcode Fuzzy Hash: c052e1d47165896875402f43dafe319e107ea026f194ca7f28a563df4716d6ce
                                                                      • Instruction Fuzzy Hash: F9900225611400030105B9580B04547005A97D5351355C121F5019650DD62189626221
                                                                      Function 01622AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0367735d904ba0de99d1d5a871b35e8634728900d4372b00b335a54040f88759
                                                                      • Instruction ID: 68d7f34f4cdb8c3dab5087b18f5589d415505542f8bdab5a54d879a5bd0280f0
                                                                      • Opcode Fuzzy Hash: 0367735d904ba0de99d1d5a871b35e8634728900d4372b00b335a54040f88759
                                                                      • Instruction Fuzzy Hash: DB9002A1601540924500B6588804B4B451997E0201B55C116F5058660DC5258952A235
                                                                      Function 01622D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d3f5dc1cb3bf04834cf90effd358b2c2f6ec4ccb89c58dc5578d698374e5766
                                                                      • Instruction ID: 515b2d808c915ee7619eccf3db4ea1af6d54da2adbf2df7a1204f325bd2f02f2
                                                                      • Opcode Fuzzy Hash: 0d3f5dc1cb3bf04834cf90effd358b2c2f6ec4ccb89c58dc5578d698374e5766
                                                                      • Instruction Fuzzy Hash: 5190022170140003D140755858186474019E7E1301F55D111F4418654DD91589576322
                                                                      Function 01622D00 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2896736bd1c45558f58670be876da8786d82f582736b629d2981836a0557e290
                                                                      • Instruction ID: 9534a3514ca3088d9701761bd931f54a39d895fc5247efbcea92706b1affbf28
                                                                      • Opcode Fuzzy Hash: 2896736bd1c45558f58670be876da8786d82f582736b629d2981836a0557e290
                                                                      • Instruction Fuzzy Hash: 8490022160544442D10079585808A47001997D0205F55D111B5068695EC6358952B231
                                                                      Function 01622D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3c50586ab1ac678e50b9c223e7559a5c258a93dea059e25bd93f678a4890fdb2
                                                                      • Instruction ID: ec2abb7e873f34c535eeaee0232493ab568d4e804ef536429c7fe38148889762
                                                                      • Opcode Fuzzy Hash: 3c50586ab1ac678e50b9c223e7559a5c258a93dea059e25bd93f678a4890fdb2
                                                                      • Instruction Fuzzy Hash: E890022961340002D1807558580864B001997D1202F95D515B4019658DC915896A6321
                                                                      Function 01622DD0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 37ba8a62d5678c92ca60afd48b0d419a8f4c97917fa652db950b33021dd3cf32
                                                                      • Instruction ID: 3d42a38b286ffb557e427aba0367e3e1e714693bfd5573282394018295ba9c0b
                                                                      • Opcode Fuzzy Hash: 37ba8a62d5678c92ca60afd48b0d419a8f4c97917fa652db950b33021dd3cf32
                                                                      • Instruction Fuzzy Hash: 7E900221642441525545B5584804547401AA7E0241795C112B5418A50DC5269957E721
                                                                      Function 01622DB0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6561654cab14ca47970e689e12ba906e4a3072c3fdb490c0c3bef1f7a62fe88b
                                                                      • Instruction ID: 15267ba1cf9ea3eec1531246695f48a95d6435a59a0594420a4a483b628b745a
                                                                      • Opcode Fuzzy Hash: 6561654cab14ca47970e689e12ba906e4a3072c3fdb490c0c3bef1f7a62fe88b
                                                                      • Instruction Fuzzy Hash: 4390023164140402D14175584804647001DA7D0241F95C112B4428654FC6558B57BB61
                                                                      Function 01622C60 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 743cc6c225d4ea7c3127090ed6d6a42b8a4c6808c32af0747fcb3c85f59bf4ba
                                                                      • Instruction ID: 421a0678a48329a28931c22a7e9d69f949bb2609646f05e6c259c8a447cd69cf
                                                                      • Opcode Fuzzy Hash: 743cc6c225d4ea7c3127090ed6d6a42b8a4c6808c32af0747fcb3c85f59bf4ba
                                                                      • Instruction Fuzzy Hash: 4D90023160140842D10075584804B87001997E0301F55C116B4128754EC615C9527621
                                                                      Function 01622CF0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2c1a005dc34a1b068313b68003dfba9f765d2be1883e0a86209331554b9d849c
                                                                      • Instruction ID: cbd809485981f75771cf47953f54d7950360f11a47a186ee19503a36d5a832c6
                                                                      • Opcode Fuzzy Hash: 2c1a005dc34a1b068313b68003dfba9f765d2be1883e0a86209331554b9d849c
                                                                      • Instruction Fuzzy Hash: FF90023160140403D10075585908747001997D0201F55D511B4428658ED65689527221
                                                                      Function 01622CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3212f3cab074bc7cad90ee1fca754006bf4893e2f1073b0d49e1cf17a89d6c9d
                                                                      • Instruction ID: 5928c4be002b61f500ab65227190695336f2c456400e53e4a935210435ed37a6
                                                                      • Opcode Fuzzy Hash: 3212f3cab074bc7cad90ee1fca754006bf4893e2f1073b0d49e1cf17a89d6c9d
                                                                      • Instruction Fuzzy Hash: 72900221A0540402D14075585818747002997D0201F55D111B4028654EC6598B5677A1
                                                                      Function 01622CA0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dc111efc348186f22080a74591f2621edcdd675cc6dc8eb86bbf4d42742e8bc7
                                                                      • Instruction ID: 4bb3a187540f99e8ae0bda280d7916c47d03cc556fb995c93ab2afd887aebf19
                                                                      • Opcode Fuzzy Hash: dc111efc348186f22080a74591f2621edcdd675cc6dc8eb86bbf4d42742e8bc7
                                                                      • Instruction Fuzzy Hash: F090023160140402D10079985808687001997E0301F55D111B9028655FC66589927231
                                                                      Function 01622F60 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d93a40ad9f1f31d9ccb71d972073e3bf6b894bca1296fc2cf0c9aacb2eef4015
                                                                      • Instruction ID: 7eea379ad48d82d1d126a27243c8e0b994578c7c2a44069bcffd11a9fdd69ddd
                                                                      • Opcode Fuzzy Hash: d93a40ad9f1f31d9ccb71d972073e3bf6b894bca1296fc2cf0c9aacb2eef4015
                                                                      • Instruction Fuzzy Hash: A290026161140042D10475584804747005997E1201F55C112B6158654DC5298D626225
                                                                      Function 01622F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: acd0d3af64e157c8bca5307f7dbe375d798c6601204e816ae613dd2e916e0fe9
                                                                      • Instruction ID: 85827fdca13be65be3c6a05a5885ac76fd36acefe2ad5d620eec2fd5f1f8a1a0
                                                                      • Opcode Fuzzy Hash: acd0d3af64e157c8bca5307f7dbe375d798c6601204e816ae613dd2e916e0fe9
                                                                      • Instruction Fuzzy Hash: 7D90026174140442D10075584814B470019D7E1301F55C115F5068654EC619CD537226
                                                                      Function 01622FE0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4eaa560f911b805770b44e4acfc744febfd080fc277bd576f0c499e3c02241cc
                                                                      • Instruction ID: 960e9c4ee8dc741bf810036b521e46bb385d08a6674cd38ef3d4c71de031fd17
                                                                      • Opcode Fuzzy Hash: 4eaa560f911b805770b44e4acfc744febfd080fc277bd576f0c499e3c02241cc
                                                                      • Instruction Fuzzy Hash: 70900221611C0042D20079684C14B47001997D0303F55C215B4158654DC91589626621
                                                                      Function 01622FA0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c22a6cdb42421cb57375658fd4533ff36e979905263ef960b424ad794445fd0e
                                                                      • Instruction ID: 8d8755636ef5e04d418c9f0916bed2be32761e68a0946823ef2f89fa17f25d84
                                                                      • Opcode Fuzzy Hash: c22a6cdb42421cb57375658fd4533ff36e979905263ef960b424ad794445fd0e
                                                                      • Instruction Fuzzy Hash: D790023160180402D10075584C08787001997D0302F55C111B9168655FC665C9927631
                                                                      Function 01622FB0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e288e87a111f8a3a945e6e2ba607dcd95682b60220314591e138816b351c4777
                                                                      • Instruction ID: 17efea7722245aa643fd2d8cf566122ccb8af1deffaf949c20be22f7e80bbd57
                                                                      • Opcode Fuzzy Hash: e288e87a111f8a3a945e6e2ba607dcd95682b60220314591e138816b351c4777
                                                                      • Instruction Fuzzy Hash: E1900221A0140042414075688C449474019BBE1211755C221B499C650EC55989666765
                                                                      Function 01622F90 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b69a2923e928832a0817bb81d41d1c68767be70b85ebeb72acfc1086a272725e
                                                                      • Instruction ID: 90cbecadbbb7e82bf8bab2c24fb1fdbbed182b87bcf429ed8183b634e67ca50d
                                                                      • Opcode Fuzzy Hash: b69a2923e928832a0817bb81d41d1c68767be70b85ebeb72acfc1086a272725e
                                                                      • Instruction Fuzzy Hash: 5590023160180402D10075584C1474B001997D0302F55C111B5168655EC62589527671
                                                                      Function 01622E30 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5354fa723196220c7754cf146bfe2f2cd1ebc38d802c3468f50df89873561ebb
                                                                      • Instruction ID: 673578c4cb118c7ed92ac34c754b4e2cfbadb0b056316898dbd71e16af735a00
                                                                      • Opcode Fuzzy Hash: 5354fa723196220c7754cf146bfe2f2cd1ebc38d802c3468f50df89873561ebb
                                                                      • Instruction Fuzzy Hash: 2790022170140402D10275584814647001DD7D1345F95C112F5428655EC6258A53B232
                                                                      Function 01622EE0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bf88ed5b962a9d10463eda1d53b7a2c0a4c2019ae51555b68d90659d8e7ab809
                                                                      • Instruction ID: 31e03e3c2f8351e93db5a5ce897fbd6ea6108adf852c194bf666d5f27f6dabe6
                                                                      • Opcode Fuzzy Hash: bf88ed5b962a9d10463eda1d53b7a2c0a4c2019ae51555b68d90659d8e7ab809
                                                                      • Instruction Fuzzy Hash: 4290026160180403D14079584C04647001997D0302F55C111B6068655FCA298D527235
                                                                      Function 01622EA0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 11ff5feaede1f68f87c3c8e09a5837a0e3fdbf8e65cb54efa6585fe2274f31a0
                                                                      • Instruction ID: 76406eb8f64f35bc280264ff41e2467f18802094aaa8a3f8b99b65166c85b5fd
                                                                      • Opcode Fuzzy Hash: 11ff5feaede1f68f87c3c8e09a5837a0e3fdbf8e65cb54efa6585fe2274f31a0
                                                                      • Instruction Fuzzy Hash: DE90027160140402D14075584804787001997D0301F55C111B9068654FC6598ED67765
                                                                      Function 01622E80 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0a3f3d5f5985cf13b91096d903eb750c27fc80627568db2b5f254e674924b088
                                                                      • Instruction ID: 21f9a2341c93cb785f6cacb1c3f6ae09ce67f25f9c03e6aba25cefaec2df2104
                                                                      • Opcode Fuzzy Hash: 0a3f3d5f5985cf13b91096d903eb750c27fc80627568db2b5f254e674924b088
                                                                      • Instruction Fuzzy Hash: B4900221A0140502D10175584804657001E97D0241F95C122B5028655FCA258A93B231
                                                                      Function 01623010 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1792beb5b98b42ff63d31e9e824d210af926f2d5c562059135edca718bedc5f4
                                                                      • Instruction ID: 24c80406cbf5189c170037a53bec3a52cbfba8de37d1f4205143288984db27ee
                                                                      • Opcode Fuzzy Hash: 1792beb5b98b42ff63d31e9e824d210af926f2d5c562059135edca718bedc5f4
                                                                      • Instruction Fuzzy Hash: AD90022160184442D14076584C04B4F411997E1202F95C119B815A654DC91589566721
                                                                      Function 01623090 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2417102436b5f4f97427c8cfe2520e0f18802ff83947b6f67326697f5802022a
                                                                      • Instruction ID: ddfa124eb22936ddc555bffbee4075f3f055ce91d7d7b7ed710aa780feeb9ca7
                                                                      • Opcode Fuzzy Hash: 2417102436b5f4f97427c8cfe2520e0f18802ff83947b6f67326697f5802022a
                                                                      • Instruction Fuzzy Hash: EE90022164140802D14075588814747001AD7D0601F55C111B4028654EC6168A6677B1
                                                                      Function 016239B0 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7b296c17c0f2578fd0cbe0841826ebe982c5c45dd217fbb5b90888ba20c9cb8d
                                                                      • Instruction ID: efe09fdd7cafd7f81256dab66ce4962bed382a49aaa1585a856e2a37f641b16e
                                                                      • Opcode Fuzzy Hash: 7b296c17c0f2578fd0cbe0841826ebe982c5c45dd217fbb5b90888ba20c9cb8d
                                                                      • Instruction Fuzzy Hash: E290022164545102D150755C48046574019B7E0201F55C121B4818694EC55589567321
                                                                      Function 01623D70 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 27ebed3cc3c6b7b809a520367706dc48b1a60768ba181899274e3de09cc078a9
                                                                      • Instruction ID: 012acfd66690d32797e67ac1c0ba28a6882a05859764ee7102b033e05876f23f
                                                                      • Opcode Fuzzy Hash: 27ebed3cc3c6b7b809a520367706dc48b1a60768ba181899274e3de09cc078a9
                                                                      • Instruction Fuzzy Hash: 6690023560140402D51075585C04687005A97D0301F55D511B4428658EC65489A2B221
                                                                      Function 01623D10 Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 811240d8e50a77dab454092a62b8bb06dfe0cbc3e027a3fcc8f9554fa7aac59e
                                                                      • Instruction ID: 371701308864b20497b3d9984e89a382189ef63d1f2ec91701451150d00d4faf
                                                                      • Opcode Fuzzy Hash: 811240d8e50a77dab454092a62b8bb06dfe0cbc3e027a3fcc8f9554fa7aac59e
                                                                      • Instruction Fuzzy Hash: C990023160240142954076585C04A8F411997E1302B95D515B4019654DC91489626321
                                                                      Function 01622C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                      • Instruction ID: c7d9afe136069f0c68253de7c04ef4060bfab72a4479e3710ef4d3ba6b94f280
                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                      • Instruction Fuzzy Hash:
                                                                      Function 01622890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                      • API String ID: 48624451-2108815105
                                                                      • Opcode ID: 4492cc3960d0fc8677ae8f6184f7ea7378df4c388c007c5328718bcb9298d4e2
                                                                      • Instruction ID: d3c6df49288c10b7ef080d3bc8b1f898abe36b88b8b289dc30a0fa0998e97aaa
                                                                      • Opcode Fuzzy Hash: 4492cc3960d0fc8677ae8f6184f7ea7378df4c388c007c5328718bcb9298d4e2
                                                                      • Instruction Fuzzy Hash: 0651F7B6B00526BFCB21DB9D8CA097EFBB8BB48240B54826DF465D7641D374DE04CBA0
                                                                      Function 01692410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                      • API String ID: 48624451-2108815105
                                                                      • Opcode ID: 324bfc72174669b4f618398fc257dbf04ed79adc03d14d42a2e77332e3665723
                                                                      • Instruction ID: 31a1762dbe1b06c98a7039b48fca7285e93d9210d66678904d50acd939e9a3e2
                                                                      • Opcode Fuzzy Hash: 324bfc72174669b4f618398fc257dbf04ed79adc03d14d42a2e77332e3665723
                                                                      • Instruction Fuzzy Hash: D151E2B5A00646BFCF34DF9DCDA097EBBFDAB44200B04846DE596D7682E774EA408760
                                                                      Function 01617630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01654725
                                                                      • Execute=1, xrefs: 01654713
                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 01654787
                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016546FC
                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01654655
                                                                      • ExecuteOptions, xrefs: 016546A0
                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01654742
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                      • API String ID: 0-484625025
                                                                      • Opcode ID: 0b35cf51ed66751b3858ac00014bd42a21666f700ef587026c10f314fddaa48c
                                                                      • Instruction ID: 1981ac7a04560acc87b59ce512cf86aee5810d4ad5dd66cb0b8a29404f7ff7ca
                                                                      • Opcode Fuzzy Hash: 0b35cf51ed66751b3858ac00014bd42a21666f700ef587026c10f314fddaa48c
                                                                      • Instruction Fuzzy Hash: AC512C31A0022ABAEF11AFA9DC95FBD77B9EF14700F0804DDD505AB285EB719A418F54
                                                                      Function 016B6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                      • Instruction ID: 53d8b8ea8d2954b18b677427825aa517fad5de898047d0d60e1ccfa8029c4fb0
                                                                      • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                      • Instruction Fuzzy Hash: 64020671508342AFD705DF18C890AAFBBE6EFC8704F04892DF9895B264DB31E985CB56
                                                                      Function 0162B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldvrm
                                                                      • String ID: +$-$0$0
                                                                      • API String ID: 1302938615-699404926
                                                                      • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                      • Instruction ID: 6aec899807205976fea51f60ccfedd1828bd37497e27a9210f0ec36173eabcd9
                                                                      • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                      • Instruction Fuzzy Hash: 3981BD30E05A7A8EEF258E6CCC917FEBBA2EF45320F1C421AD861A7391C77488418F55
                                                                      Function 016920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: %%%u$[$]:%u
                                                                      • API String ID: 48624451-2819853543
                                                                      • Opcode ID: 4bc739cc3d428715c6fe8ff09f3c18b15637877a0a3fb72cbec2dee29b44a243
                                                                      • Instruction ID: 850ce548ab0379ae3486a62ae79bae9996006ada4e481c24a08448b7e6fb431b
                                                                      • Opcode Fuzzy Hash: 4bc739cc3d428715c6fe8ff09f3c18b15637877a0a3fb72cbec2dee29b44a243
                                                                      • Instruction Fuzzy Hash: FE2153BAE00119ABDB10DE69DC50AEEBBEDAF54651F05011EEA05D3200E730DA158BA1
                                                                      Function 0160F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016502BD
                                                                      • RTL: Re-Waiting, xrefs: 0165031E
                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016502E7
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                      • API String ID: 0-2474120054
                                                                      • Opcode ID: 4f7d969d0c684a93579e0b324b25c41bc6085806b15bc8bf45adaa494937605c
                                                                      • Instruction ID: 4650b342b90fc9f3aacd1e0c130ed75f4cc4985fb85caed5c1b9ccc36abb426b
                                                                      • Opcode Fuzzy Hash: 4f7d969d0c684a93579e0b324b25c41bc6085806b15bc8bf45adaa494937605c
                                                                      • Instruction Fuzzy Hash: 08E19C306047429FD76ACF28CC84B2ABBE1BB88314F144A9DF9A58B3E1D775D945CB42
                                                                      Function 0161BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • RTL: Re-Waiting, xrefs: 01657BAC
                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01657B7F
                                                                      • RTL: Resource at %p, xrefs: 01657B8E
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                      • API String ID: 0-871070163
                                                                      • Opcode ID: dc92c29f63dac70e376734747ee895246a67abc4500725fc45336a4375fc577b
                                                                      • Instruction ID: 7d6c840e51d8b1b6926f98332e70207985f275ec8f1220a79196ef67a02a4425
                                                                      • Opcode Fuzzy Hash: dc92c29f63dac70e376734747ee895246a67abc4500725fc45336a4375fc577b
                                                                      • Instruction Fuzzy Hash: 1841CF317007029FD720DE2ADC40B6AB7E6EF98720F140A1DF95ADB780DB31E8058B95
                                                                      Function 0161B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0165728C
                                                                      Strings
                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01657294
                                                                      • RTL: Re-Waiting, xrefs: 016572C1
                                                                      • RTL: Resource at %p, xrefs: 016572A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                      • API String ID: 885266447-605551621
                                                                      • Opcode ID: 990045e8fc2007858826369c62c9d40e5ceda772591cec9477eb3b3b68051e0d
                                                                      • Instruction ID: 1a21b25a07baa3c6cb606bfd1d2d8652103922e8079f50893788b179201aa69e
                                                                      • Opcode Fuzzy Hash: 990045e8fc2007858826369c62c9d40e5ceda772591cec9477eb3b3b68051e0d
                                                                      • Instruction Fuzzy Hash: C341F031640206ABC720CE6ACC41B6AB7B6FB94750F14861DFD55EB340DB21E8028BD5
                                                                      Function 01692300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID: %%%u$]:%u
                                                                      • API String ID: 48624451-3050659472
                                                                      • Opcode ID: ee4fca0b81512d4d02413cdf4fe5582beca3678331662c8bcf650be6c95bc07e
                                                                      • Instruction ID: 8c20d781298a55702d6189d7e6398e8628a9ea8c5d713b480d964306167c17a9
                                                                      • Opcode Fuzzy Hash: ee4fca0b81512d4d02413cdf4fe5582beca3678331662c8bcf650be6c95bc07e
                                                                      • Instruction Fuzzy Hash: 82317172A00619AFDF20DE2DDC50BEEB7BCAB54610F44055EE949E3240EB30AA548BA0
                                                                      Function 01627D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldvrm
                                                                      • String ID: +$-
                                                                      • API String ID: 1302938615-2137968064
                                                                      • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                      • Instruction ID: 9591bdc3fd59376ccaabae84d226e5aeb8890c306417d7c80c4526755bed63db
                                                                      • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                      • Instruction Fuzzy Hash: 5291D271E04A3A9BEB24CF6DCC81EBEBBA5AF64320F14451AE955A73C0D7349941CF21
                                                                      Function 015E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_15b0000_Payment Advice D 0024679526 3930.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$@
                                                                      • API String ID: 0-1194432280
                                                                      • Opcode ID: b68695d2d2c952e58588007038f2b527bd2d9e660bf6e32d8701ee909610707c
                                                                      • Instruction ID: bd021465cd7f573d9d5995b0b9acdb933ad9e14a4d88cb204c6f846ce5c35c79
                                                                      • Opcode Fuzzy Hash: b68695d2d2c952e58588007038f2b527bd2d9e660bf6e32d8701ee909610707c
                                                                      • Instruction Fuzzy Hash: C0811BB1D002699BDB35CB54CC54BEEBBB4BB48754F1041DAEA19B7280D7309E84CFA4

                                                                      Execution Graph

                                                                      Execution Coverage:9.9%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:229
                                                                      Total number of Limit Nodes:6
                                                                      execution_graph 24985 2dc4668 24986 2dc4672 24985->24986 24990 2dc4758 24985->24990 24995 2dc3e28 24986->24995 24988 2dc468d 24991 2dc477d 24990->24991 24999 2dc4858 24991->24999 25003 2dc4868 24991->25003 24996 2dc3e33 24995->24996 25011 2dc5c24 24996->25011 24998 2dc6faf 24998->24988 25001 2dc4868 24999->25001 25000 2dc496c 25000->25000 25001->25000 25007 2dc44b0 25001->25007 25004 2dc488f 25003->25004 25005 2dc44b0 CreateActCtxA 25004->25005 25006 2dc496c 25004->25006 25005->25006 25008 2dc58f8 CreateActCtxA 25007->25008 25010 2dc59bb 25008->25010 25012 2dc5c2f 25011->25012 25015 2dc5c44 25012->25015 25014 2dc7055 25014->24998 25016 2dc5c4f 25015->25016 25019 2dc5c74 25016->25019 25018 2dc713a 25018->25014 25020 2dc5c7f 25019->25020 25023 2dc5ca4 25020->25023 25022 2dc722d 25022->25018 25024 2dc5caf 25023->25024 25026 2dc852b 25024->25026 25030 2dcabe3 25024->25030 25025 2dc8569 25025->25022 25026->25025 25034 2dcccc8 25026->25034 25039 2dcccd8 25026->25039 25044 2dcabff 25030->25044 25048 2dcac10 25030->25048 25031 2dcabee 25031->25026 25036 2dcccd8 25034->25036 25035 2dccd1d 25035->25025 25036->25035 25056 2dcce5c 25036->25056 25060 2dcce88 25036->25060 25041 2dcccf9 25039->25041 25040 2dccd1d 25040->25025 25041->25040 25042 2dcce5c GetModuleHandleW 25041->25042 25043 2dcce88 GetModuleHandleW 25041->25043 25042->25040 25043->25040 25045 2dcac10 25044->25045 25051 2dcad08 25045->25051 25046 2dcac1f 25046->25031 25050 2dcad08 GetModuleHandleW 25048->25050 25049 2dcac1f 25049->25031 25050->25049 25052 2dcad3c 25051->25052 25053 2dcad19 25051->25053 25052->25046 25053->25052 25054 2dcaf40 GetModuleHandleW 25053->25054 25055 2dcaf6d 25054->25055 25055->25046 25057 2dcce88 25056->25057 25058 2dccecf 25057->25058 25064 2dcba40 25057->25064 25058->25035 25061 2dcce95 25060->25061 25062 2dccecf 25061->25062 25063 2dcba40 GetModuleHandleW 25061->25063 25062->25035 25063->25062 25065 2dcba4b 25064->25065 25067 2dcdbe8 25065->25067 25068 2dcd23c 25065->25068 25067->25067 25069 2dcd247 25068->25069 25070 2dc5ca4 GetModuleHandleW 25069->25070 25071 2dcdc57 25070->25071 25071->25067 24784 73eb418 24785 73eb5a3 24784->24785 24787 73eb43e 24784->24787 24787->24785 24788 73e4a30 24787->24788 24789 73eb698 PostMessageW 24788->24789 24790 73eb704 24789->24790 24790->24787 25072 2dccfa0 25073 2dccfe6 25072->25073 25077 2dcd588 25073->25077 25080 2dcd578 25073->25080 25074 2dcd0d3 25083 2dcd1dc 25077->25083 25081 2dcd5b6 25080->25081 25082 2dcd1dc DuplicateHandle 25080->25082 25081->25074 25082->25081 25084 2dcd5f0 DuplicateHandle 25083->25084 25085 2dcd5b6 25084->25085 25085->25074 24791 73e84d0 24792 73e846a 24791->24792 24793 73e84d6 24791->24793 24798 73ea1de 24793->24798 24804 73ea168 24793->24804 24809 73ea178 24793->24809 24794 73e879a 24799 73ea1e1 24798->24799 24800 73ea16c 24798->24800 24799->24794 24814 73ea492 24800->24814 24832 73ea4a0 24800->24832 24801 73ea19a 24801->24794 24805 73ea175 24804->24805 24807 73ea492 12 API calls 24805->24807 24808 73ea4a0 12 API calls 24805->24808 24806 73ea19a 24806->24794 24807->24806 24808->24806 24810 73ea192 24809->24810 24812 73ea492 12 API calls 24810->24812 24813 73ea4a0 12 API calls 24810->24813 24811 73ea19a 24811->24794 24812->24811 24813->24811 24815 73ea49d 24814->24815 24816 73ea4c7 24815->24816 24850 73ea73d 24815->24850 24855 73eac41 24815->24855 24860 73ea780 24815->24860 24865 73ea9c3 24815->24865 24870 73ea6e5 24815->24870 24875 73ea684 24815->24875 24880 73ea6a9 24815->24880 24885 73eae2a 24815->24885 24890 73ea62a 24815->24890 24894 73ea82c 24815->24894 24904 73eafee 24815->24904 24908 73ea6f1 24815->24908 24913 73ea718 24815->24913 24918 73ea95d 24815->24918 24923 73ea87d 24815->24923 24816->24801 24833 73ea4b5 24832->24833 24834 73ea73d 2 API calls 24833->24834 24835 73ea87d 2 API calls 24833->24835 24836 73ea95d 2 API calls 24833->24836 24837 73ea718 2 API calls 24833->24837 24838 73ea6f1 2 API calls 24833->24838 24839 73eafee 2 API calls 24833->24839 24840 73ea4c7 24833->24840 24841 73ea82c 4 API calls 24833->24841 24842 73ea62a 2 API calls 24833->24842 24843 73eae2a 2 API calls 24833->24843 24844 73ea6a9 2 API calls 24833->24844 24845 73ea684 2 API calls 24833->24845 24846 73ea6e5 2 API calls 24833->24846 24847 73ea9c3 2 API calls 24833->24847 24848 73ea780 2 API calls 24833->24848 24849 73eac41 2 API calls 24833->24849 24834->24840 24835->24840 24836->24840 24837->24840 24838->24840 24839->24840 24840->24801 24841->24840 24842->24840 24843->24840 24844->24840 24845->24840 24846->24840 24847->24840 24848->24840 24849->24840 24851 73ea75c 24850->24851 24927 73e7d58 24851->24927 24931 73e7d60 24851->24931 24852 73eae7c 24856 73eac47 24855->24856 24935 73e7e48 24856->24935 24939 73e7e50 24856->24939 24857 73eac6a 24857->24816 24861 73ea690 24860->24861 24861->24860 24863 73e7d58 WriteProcessMemory 24861->24863 24864 73e7d60 WriteProcessMemory 24861->24864 24862 73eab53 24863->24862 24864->24862 24866 73ea711 24865->24866 24943 73e72a8 24866->24943 24947 73e72a0 24866->24947 24867 73eaf55 24872 73ea690 24870->24872 24871 73eab53 24873 73e7d58 WriteProcessMemory 24872->24873 24874 73e7d60 WriteProcessMemory 24872->24874 24873->24871 24874->24871 24876 73ea690 24875->24876 24878 73e7d58 WriteProcessMemory 24876->24878 24879 73e7d60 WriteProcessMemory 24876->24879 24877 73eab53 24878->24877 24879->24877 24881 73ea690 24880->24881 24883 73e7d58 WriteProcessMemory 24881->24883 24884 73e7d60 WriteProcessMemory 24881->24884 24882 73eab53 24883->24882 24884->24882 24886 73eae30 24885->24886 24888 73e72a8 ResumeThread 24886->24888 24889 73e72a0 ResumeThread 24886->24889 24887 73eaf55 24888->24887 24889->24887 24951 73e7fdd 24890->24951 24955 73e7fe8 24890->24955 24895 73ea832 24894->24895 24896 73eafa1 24895->24896 24898 73ea965 24895->24898 24959 73e7788 24896->24959 24963 73e7790 24896->24963 24897 73eafbc 24900 73e72a8 ResumeThread 24898->24900 24901 73e72a0 ResumeThread 24898->24901 24899 73eaf55 24900->24899 24901->24899 24906 73e7d58 WriteProcessMemory 24904->24906 24907 73e7d60 WriteProcessMemory 24904->24907 24905 73eb012 24906->24905 24907->24905 24909 73ea711 24908->24909 24911 73e72a8 ResumeThread 24909->24911 24912 73e72a0 ResumeThread 24909->24912 24910 73eaf55 24911->24910 24912->24910 24914 73ea72a 24913->24914 24967 73e7c98 24914->24967 24971 73e7ca0 24914->24971 24915 73ea8d2 24915->24816 24919 73ea965 24918->24919 24921 73e72a8 ResumeThread 24919->24921 24922 73e72a0 ResumeThread 24919->24922 24920 73eaf55 24921->24920 24922->24920 24975 73eb260 24923->24975 24980 73eb250 24923->24980 24924 73ea895 24924->24816 24928 73e7d60 WriteProcessMemory 24927->24928 24930 73e7dff 24928->24930 24930->24852 24932 73e7da8 WriteProcessMemory 24931->24932 24934 73e7dff 24932->24934 24934->24852 24936 73e7e50 ReadProcessMemory 24935->24936 24938 73e7edf 24936->24938 24938->24857 24940 73e7e9b ReadProcessMemory 24939->24940 24942 73e7edf 24940->24942 24942->24857 24944 73e72e8 ResumeThread 24943->24944 24946 73e7319 24944->24946 24946->24867 24948 73e72a8 ResumeThread 24947->24948 24950 73e7319 24948->24950 24950->24867 24952 73e7fe8 CreateProcessA 24951->24952 24954 73e8233 24952->24954 24956 73e8071 CreateProcessA 24955->24956 24958 73e8233 24956->24958 24960 73e7790 Wow64SetThreadContext 24959->24960 24962 73e781d 24960->24962 24962->24897 24964 73e77d5 Wow64SetThreadContext 24963->24964 24966 73e781d 24964->24966 24966->24897 24968 73e7ca0 VirtualAllocEx 24967->24968 24970 73e7d1d 24968->24970 24970->24915 24972 73e7ce0 VirtualAllocEx 24971->24972 24974 73e7d1d 24972->24974 24974->24915 24976 73eb275 24975->24976 24978 73e7788 Wow64SetThreadContext 24976->24978 24979 73e7790 Wow64SetThreadContext 24976->24979 24977 73eb28b 24977->24924 24978->24977 24979->24977 24981 73eb275 24980->24981 24983 73e7788 Wow64SetThreadContext 24981->24983 24984 73e7790 Wow64SetThreadContext 24981->24984 24982 73eb28b 24982->24924 24983->24982 24984->24982

                                                                      Executed Functions

                                                                      Function 073E7FDD Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 349 73e7fdd-73e807d 352 73e807f-73e8089 349->352 353 73e80b6-73e80d6 349->353 352->353 354 73e808b-73e808d 352->354 360 73e810f-73e813e 353->360 361 73e80d8-73e80e2 353->361 355 73e808f-73e8099 354->355 356 73e80b0-73e80b3 354->356 358 73e809d-73e80ac 355->358 359 73e809b 355->359 356->353 358->358 362 73e80ae 358->362 359->358 367 73e8177-73e8231 CreateProcessA 360->367 368 73e8140-73e814a 360->368 361->360 363 73e80e4-73e80e6 361->363 362->356 365 73e80e8-73e80f2 363->365 366 73e8109-73e810c 363->366 369 73e80f6-73e8105 365->369 370 73e80f4 365->370 366->360 381 73e823a-73e82c0 367->381 382 73e8233-73e8239 367->382 368->367 372 73e814c-73e814e 368->372 369->369 371 73e8107 369->371 370->369 371->366 373 73e8150-73e815a 372->373 374 73e8171-73e8174 372->374 376 73e815e-73e816d 373->376 377 73e815c 373->377 374->367 376->376 379 73e816f 376->379 377->376 379->374 392 73e82c2-73e82c6 381->392 393 73e82d0-73e82d4 381->393 382->381 392->393 396 73e82c8 392->396 394 73e82d6-73e82da 393->394 395 73e82e4-73e82e8 393->395 394->395 397 73e82dc 394->397 398 73e82ea-73e82ee 395->398 399 73e82f8-73e82fc 395->399 396->393 397->395 398->399 400 73e82f0 398->400 401 73e830e-73e8315 399->401 402 73e82fe-73e8304 399->402 400->399 403 73e832c 401->403 404 73e8317-73e8326 401->404 402->401 405 73e832d 403->405 404->403 405->405
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073E821E
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: e41e2fdac2a4d44897e54bf5324753cf556b6c6f5e4c4be1cdab56ef2b4740db
                                                                      • Instruction ID: c4920744fea0601000576f5b3a6942debc2c3a7440e5af5e0c5a7ad1cb5b0ba2
                                                                      • Opcode Fuzzy Hash: e41e2fdac2a4d44897e54bf5324753cf556b6c6f5e4c4be1cdab56ef2b4740db
                                                                      • Instruction Fuzzy Hash: 67A170B1D0062ADFEB10CF68C8407DEBBB6BF44314F1485A9E818A7290DB759985CF92
                                                                      Function 073E7FE8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 407 73e7fe8-73e807d 409 73e807f-73e8089 407->409 410 73e80b6-73e80d6 407->410 409->410 411 73e808b-73e808d 409->411 417 73e810f-73e813e 410->417 418 73e80d8-73e80e2 410->418 412 73e808f-73e8099 411->412 413 73e80b0-73e80b3 411->413 415 73e809d-73e80ac 412->415 416 73e809b 412->416 413->410 415->415 419 73e80ae 415->419 416->415 424 73e8177-73e8231 CreateProcessA 417->424 425 73e8140-73e814a 417->425 418->417 420 73e80e4-73e80e6 418->420 419->413 422 73e80e8-73e80f2 420->422 423 73e8109-73e810c 420->423 426 73e80f6-73e8105 422->426 427 73e80f4 422->427 423->417 438 73e823a-73e82c0 424->438 439 73e8233-73e8239 424->439 425->424 429 73e814c-73e814e 425->429 426->426 428 73e8107 426->428 427->426 428->423 430 73e8150-73e815a 429->430 431 73e8171-73e8174 429->431 433 73e815e-73e816d 430->433 434 73e815c 430->434 431->424 433->433 436 73e816f 433->436 434->433 436->431 449 73e82c2-73e82c6 438->449 450 73e82d0-73e82d4 438->450 439->438 449->450 453 73e82c8 449->453 451 73e82d6-73e82da 450->451 452 73e82e4-73e82e8 450->452 451->452 454 73e82dc 451->454 455 73e82ea-73e82ee 452->455 456 73e82f8-73e82fc 452->456 453->450 454->452 455->456 457 73e82f0 455->457 458 73e830e-73e8315 456->458 459 73e82fe-73e8304 456->459 457->456 460 73e832c 458->460 461 73e8317-73e8326 458->461 459->458 462 73e832d 460->462 461->460 462->462
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073E821E
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 2df9f6f442525b21cb339dcf4e3dc354a58e413d2d00bbde2d27aef5014df1cf
                                                                      • Instruction ID: 0aab3958bab6bf2793936f9824551a43754e358795b15f3bd19209ef1de7f56f
                                                                      • Opcode Fuzzy Hash: 2df9f6f442525b21cb339dcf4e3dc354a58e413d2d00bbde2d27aef5014df1cf
                                                                      • Instruction Fuzzy Hash: 529170B1D0062ADFEB10CF68C8407DDBBF6BF44314F1485A9E809A7290DB759985CF92
                                                                      Function 02DCAD08 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 464 2dcad08-2dcad17 465 2dcad19-2dcad26 call 2dca02c 464->465 466 2dcad43-2dcad47 464->466 473 2dcad3c 465->473 474 2dcad28 465->474 468 2dcad49-2dcad53 466->468 469 2dcad5b-2dcad9c 466->469 468->469 475 2dcad9e-2dcada6 469->475 476 2dcada9-2dcadb7 469->476 473->466 522 2dcad2e call 2dcaf90 474->522 523 2dcad2e call 2dcafa0 474->523 475->476 477 2dcadb9-2dcadbe 476->477 478 2dcaddb-2dcaddd 476->478 480 2dcadc9 477->480 481 2dcadc0-2dcadc7 call 2dca038 477->481 483 2dcade0-2dcade7 478->483 479 2dcad34-2dcad36 479->473 482 2dcae78-2dcaf38 479->482 485 2dcadcb-2dcadd9 480->485 481->485 515 2dcaf3a-2dcaf3d 482->515 516 2dcaf40-2dcaf6b GetModuleHandleW 482->516 486 2dcade9-2dcadf1 483->486 487 2dcadf4-2dcadfb 483->487 485->483 486->487 488 2dcadfd-2dcae05 487->488 489 2dcae08-2dcae11 call 2dca048 487->489 488->489 495 2dcae1e-2dcae23 489->495 496 2dcae13-2dcae1b 489->496 497 2dcae25-2dcae2c 495->497 498 2dcae41-2dcae45 495->498 496->495 497->498 500 2dcae2e-2dcae3e call 2dca058 call 2dca068 497->500 520 2dcae48 call 2dcb290 498->520 521 2dcae48 call 2dcb2a0 498->521 500->498 503 2dcae4b-2dcae4e 504 2dcae50-2dcae6e 503->504 505 2dcae71-2dcae77 503->505 504->505 515->516 517 2dcaf6d-2dcaf73 516->517 518 2dcaf74-2dcaf88 516->518 517->518 520->503 521->503 522->479 523->479
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02DCAF5E
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1958612770.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_2dc0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 2b8176dae0527eaa65c6af2ceafe328784d173dd34c931d4e8d0f5f38400d05a
                                                                      • Instruction ID: b9e5c66a5da7cf1f43cc9ff927fad56747290753e72ec8451b4764a2755cb30d
                                                                      • Opcode Fuzzy Hash: 2b8176dae0527eaa65c6af2ceafe328784d173dd34c931d4e8d0f5f38400d05a
                                                                      • Instruction Fuzzy Hash: 61710370A00B0A8FD724DF69D44475ABBF5FB88304F20892DD48AD7B54EB75E849CB91
                                                                      Function 02DC44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 524 2dc44b0-2dc59b9 CreateActCtxA 527 2dc59bb-2dc59c1 524->527 528 2dc59c2-2dc5a1c 524->528 527->528 535 2dc5a1e-2dc5a21 528->535 536 2dc5a2b-2dc5a2f 528->536 535->536 537 2dc5a40-2dc5a70 536->537 538 2dc5a31-2dc5a3d 536->538 542 2dc5a22-2dc5a2a 537->542 543 2dc5a72-2dc5af4 537->543 538->537 542->536
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 02DC59A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1958612770.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_2dc0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: b2ab80e2b820c0e7be7e3eb2ceeb504a76b803b52a36beedf105c6a0ce586eef
                                                                      • Instruction ID: 6de9cf67e6c2718fb0e7af2a130b507fb015816e17976dd0bdf1a08ef880f198
                                                                      • Opcode Fuzzy Hash: b2ab80e2b820c0e7be7e3eb2ceeb504a76b803b52a36beedf105c6a0ce586eef
                                                                      • Instruction Fuzzy Hash: 624102B0C00719CBDB24DFAAC88478EBBB5BF48304F64806AD408BB251DB756949CF90
                                                                      Function 02DC58EC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 545 2dc58ec-2dc58f4 546 2dc58fc-2dc59b9 CreateActCtxA 545->546 548 2dc59bb-2dc59c1 546->548 549 2dc59c2-2dc5a1c 546->549 548->549 556 2dc5a1e-2dc5a21 549->556 557 2dc5a2b-2dc5a2f 549->557 556->557 558 2dc5a40-2dc5a70 557->558 559 2dc5a31-2dc5a3d 557->559 563 2dc5a22-2dc5a2a 558->563 564 2dc5a72-2dc5af4 558->564 559->558 563->557
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 02DC59A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1958612770.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_2dc0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 6de0c41728762874951c9495efcc7c2546d4769794d7b7e2dd51addfd581dada
                                                                      • Instruction ID: f13f7ca10639e6031906017beabc30d6a5dba7e8821f8141ac63d939861ae5ff
                                                                      • Opcode Fuzzy Hash: 6de0c41728762874951c9495efcc7c2546d4769794d7b7e2dd51addfd581dada
                                                                      • Instruction Fuzzy Hash: BD4112B0C00719CEDB24DFAAD8847CDBBB5BF48304F24809AD409BB251DB756949CF90
                                                                      Function 073E7D58 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 566 73e7d58-73e7dae 569 73e7dbe-73e7dfd WriteProcessMemory 566->569 570 73e7db0-73e7dbc 566->570 572 73e7dff-73e7e05 569->572 573 73e7e06-73e7e36 569->573 570->569 572->573
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073E7DF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: b2f6f412bde450b71575ec37fb6d8961cb279ffc384dd07bb7ff4b529396d1f9
                                                                      • Instruction ID: d9f0255ba180f94e9b24f4bf913ad3ea968c01a2f422eb4beb29b0f21312fc46
                                                                      • Opcode Fuzzy Hash: b2f6f412bde450b71575ec37fb6d8961cb279ffc384dd07bb7ff4b529396d1f9
                                                                      • Instruction Fuzzy Hash: A3215AB2900359DFDB10DFA9C885BDEBBF4FF48310F10842AE959A7241C778A945CBA4
                                                                      Function 073E7D60 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 577 73e7d60-73e7dae 579 73e7dbe-73e7dfd WriteProcessMemory 577->579 580 73e7db0-73e7dbc 577->580 582 73e7dff-73e7e05 579->582 583 73e7e06-73e7e36 579->583 580->579 582->583
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073E7DF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: ef9a691afcfef53a51be7deb18a2631a24bd616dbf8440cf41ee44859c7adbdf
                                                                      • Instruction ID: e3cc0a46b8f8a46d598efba922525edc34724bf938d693e3aed91a81064920d6
                                                                      • Opcode Fuzzy Hash: ef9a691afcfef53a51be7deb18a2631a24bd616dbf8440cf41ee44859c7adbdf
                                                                      • Instruction Fuzzy Hash: 082139B1900359DFDB10DFA9C885BEEBBF5FF48310F10842AE959A7250C7789944CBA4
                                                                      Function 073E7788 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 587 73e7788-73e77db 590 73e77dd-73e77e9 587->590 591 73e77eb-73e781b Wow64SetThreadContext 587->591 590->591 593 73e781d-73e7823 591->593 594 73e7824-73e7854 591->594 593->594
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073E780E
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 7f787d116ad5d9a910c39d57fbf6a8ab6a1e739251aa61c6a1378fa6b9960f07
                                                                      • Instruction ID: 62fbd0dc6b03e95216609fec7e3095fcbc52025e163c0565f1c36776ec9f25d4
                                                                      • Opcode Fuzzy Hash: 7f787d116ad5d9a910c39d57fbf6a8ab6a1e739251aa61c6a1378fa6b9960f07
                                                                      • Instruction Fuzzy Hash: 3C216AB1D002199FDB10DFAAC485BEEBBF4EF48324F14842AD459A7241C7789945CFA4
                                                                      Function 073E7E48 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 598 73e7e48-73e7edd ReadProcessMemory 602 73e7edf-73e7ee5 598->602 603 73e7ee6-73e7f16 598->603 602->603
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073E7ED0
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 170acec6cd324bd20cdd693c741ba92c45f7ee86acb506ec3d9779de4e153187
                                                                      • Instruction ID: f2763cdc49f9e8df3e78e2f826ae29b50f4cf47a848b300445e9728b0c6a933b
                                                                      • Opcode Fuzzy Hash: 170acec6cd324bd20cdd693c741ba92c45f7ee86acb506ec3d9779de4e153187
                                                                      • Instruction Fuzzy Hash: BE212AB19002599FDB10DFAAC881BDEFBF5FF48320F10842AE559A7251C7389945CBA4
                                                                      Function 02DCD1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 607 2dcd1dc-2dcd684 DuplicateHandle 609 2dcd68d-2dcd6aa 607->609 610 2dcd686-2dcd68c 607->610 610->609
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DCD5B6,?,?,?,?,?), ref: 02DCD677
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1958612770.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_2dc0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 7b3e90a4ccb8cbacfd08c6638e7e3ace11b1bafd51924a5e3aa56d09ef5cb4d6
                                                                      • Instruction ID: 8eef38c4646999a29d9eaf0f1cfa066181b4a0613e2b88119c78b151cc0482cc
                                                                      • Opcode Fuzzy Hash: 7b3e90a4ccb8cbacfd08c6638e7e3ace11b1bafd51924a5e3aa56d09ef5cb4d6
                                                                      • Instruction Fuzzy Hash: AD21E6B5900249DFDB10DF9AD984ADEFBF5EB48310F14842AE958A7310D374A954CFA4
                                                                      Function 02DCD5E9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 613 2dcd5e9-2dcd5ee 614 2dcd5f0-2dcd684 DuplicateHandle 613->614 615 2dcd68d-2dcd6aa 614->615 616 2dcd686-2dcd68c 614->616 616->615
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DCD5B6,?,?,?,?,?), ref: 02DCD677
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1958612770.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_2dc0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: ce940b8a20be7ec59ebff6bd5b89315cff91963d5b6f70b6b8e3bf98344b0d26
                                                                      • Instruction ID: 59ada96cf363286d8b3c37609519fbbb0f328f4adba79bed7494e67908d275fb
                                                                      • Opcode Fuzzy Hash: ce940b8a20be7ec59ebff6bd5b89315cff91963d5b6f70b6b8e3bf98344b0d26
                                                                      • Instruction Fuzzy Hash: 0F2114B59002499FDB10CF9AD984ADEBBF5EB48310F20802AE958A3310D374A944CFA4
                                                                      Function 073E7790 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 619 73e7790-73e77db 621 73e77dd-73e77e9 619->621 622 73e77eb-73e781b Wow64SetThreadContext 619->622 621->622 624 73e781d-73e7823 622->624 625 73e7824-73e7854 622->625 624->625
                                                                      APIs
                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073E780E
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: ContextThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 983334009-0
                                                                      • Opcode ID: 1141af64cdf2d2b40e65c40845bdbf13b760d28ec04a6352075bd3f93e8456d7
                                                                      • Instruction ID: f2603c327d069e71298486fe4b250d52301703172a0b4c4270ea2d2da813d726
                                                                      • Opcode Fuzzy Hash: 1141af64cdf2d2b40e65c40845bdbf13b760d28ec04a6352075bd3f93e8456d7
                                                                      • Instruction Fuzzy Hash: 4B2149B1D003198FDB10DFAAC485BEEBBF4EF48324F10842AD459A7240D7789945CFA4
                                                                      Function 073E7E50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073E7ED0
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 06eb31285ec35216daa9ad7517d615810318a4fd3598e19dfc1fcdbfe32952d6
                                                                      • Instruction ID: 0d56850e5d79490da2b77bcd456004041f711a958e5777a7d1557fcab927d4f4
                                                                      • Opcode Fuzzy Hash: 06eb31285ec35216daa9ad7517d615810318a4fd3598e19dfc1fcdbfe32952d6
                                                                      • Instruction Fuzzy Hash: D22128B18002599FDB10DFAAC880AEEFBF5FF48310F10842AE559A7250C7389944CBA4
                                                                      Function 073E7C98 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073E7D0E
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 71c177c09a1568bdad705151827036feab511193665909fe32c7354b996ed8ea
                                                                      • Instruction ID: d2522ef2e611fce95f4f16fa781093f4a4db2576f8c41e08150939696ba86488
                                                                      • Opcode Fuzzy Hash: 71c177c09a1568bdad705151827036feab511193665909fe32c7354b996ed8ea
                                                                      • Instruction Fuzzy Hash: BF1147B69002599FCB10DFAAD844AEFBBF5EB88320F208819E519A7250C7359945CBA1
                                                                      Function 073E7CA0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073E7D0E
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 7c73460299d30b939a2bcacc39fdeb70ffec20c4d67177a42112b4c0edc6aec6
                                                                      • Instruction ID: dc1f112a308a930c06690c779996c28a8ee54efd527de39527e773f52545d04f
                                                                      • Opcode Fuzzy Hash: 7c73460299d30b939a2bcacc39fdeb70ffec20c4d67177a42112b4c0edc6aec6
                                                                      • Instruction Fuzzy Hash: 32113AB29002599FDB10DFAAC844BDFBFF5EF48324F108819D559A7250C7759544CFA4
                                                                      Function 073E72A0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: c1bd1f75fdb1df777d1af32031c1f7b1f9f42f020c7cccb37f884e652bc8d7c7
                                                                      • Instruction ID: 3e6bc6b9c4aca686dfb16340a5f72446af37697336140139f232d2609b72eff9
                                                                      • Opcode Fuzzy Hash: c1bd1f75fdb1df777d1af32031c1f7b1f9f42f020c7cccb37f884e652bc8d7c7
                                                                      • Instruction Fuzzy Hash: 3B115BB19002598FDB10DFAAC4457EFFBF8EB88324F108829D559A7250C7356544CF95
                                                                      Function 073E72A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: e1a210686f288bdf1f6a9db1323a015b1ced8c72136e1d4e7bb34b631a45bd69
                                                                      • Instruction ID: 3006874c78d65b6415cc74ddceaa3984fba5ec91d377bee938dce4f2a042215a
                                                                      • Opcode Fuzzy Hash: e1a210686f288bdf1f6a9db1323a015b1ced8c72136e1d4e7bb34b631a45bd69
                                                                      • Instruction Fuzzy Hash: 1C113AB19002598FDB10DFAAC4457DEFBF4EB88324F208419D559A7250C775A544CF94
                                                                      Function 073EB690 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 073EB6F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: cd574ae80ef033fbe354af2eefb2844e6df18f70f5cc7ce93e82efd2e3b5c1b9
                                                                      • Instruction ID: 74b24aa999085db5a67227a496b64ea7c73d487a6eb492181cba25e5496a021c
                                                                      • Opcode Fuzzy Hash: cd574ae80ef033fbe354af2eefb2844e6df18f70f5cc7ce93e82efd2e3b5c1b9
                                                                      • Instruction Fuzzy Hash: 9C11F2B58003599FDB10DF9AC885BDEFBF8EB48324F10842AE958A7740C379A544CFA1
                                                                      Function 073E4A30 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 073EB6F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 30e8dd23f456fc8eee3fd713bf8eea134495f26aca9dc55fb88e6e5ae6e0f4be
                                                                      • Instruction ID: 10377be5f2b0583a6153b31fa8a8a841d0016adfc083ce0b4714d958d94e84fe
                                                                      • Opcode Fuzzy Hash: 30e8dd23f456fc8eee3fd713bf8eea134495f26aca9dc55fb88e6e5ae6e0f4be
                                                                      • Instruction Fuzzy Hash: E011F2B58003599FDB10DF9AC885BDEFBF8EB48324F10841AE559A7640C375A944CFA5
                                                                      Function 02DCAEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02DCAF5E
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1958612770.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_2dc0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 0d2f067010a666d62b86bc082891847ed7f6490cd22f998db8ecd45e122bcf5f
                                                                      • Instruction ID: 2197e6c0cc9778f266acf22761fbad7a1b1cbff4371163d6fd1f819529afe209
                                                                      • Opcode Fuzzy Hash: 0d2f067010a666d62b86bc082891847ed7f6490cd22f998db8ecd45e122bcf5f
                                                                      • Instruction Fuzzy Hash: E61110B6C006498FCB10DF9AC444ADEFBF4EB88324F20846AE459A7350C379A545CFA1
                                                                      Function 073EB6E9 Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 073EB6F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2049616370.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_73e0000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 24500219ae0e82f0fba8eead3ac377134c9ffeb0ff74318ce27444e2ee51045e
                                                                      • Instruction ID: 14c77664ad94fcacf06c9addb3432abf9dcad1f7c5d1c2c348633fe210c82c69
                                                                      • Opcode Fuzzy Hash: 24500219ae0e82f0fba8eead3ac377134c9ffeb0ff74318ce27444e2ee51045e
                                                                      • Instruction Fuzzy Hash: 46E086B6404205CDD721AB99E4487CDFBE4AF50314F34C41AC19D93551C2795184CB51
                                                                      Function 0137D3D8 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1910176003.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_137d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7a7f192935387b0843170091fec31f7c7de30806e4e48adba5c7253609e2ce05
                                                                      • Instruction ID: ed090091e7646e265c7eda5d76e2158a52b8ebc0032a8475dcf7569312609457
                                                                      • Opcode Fuzzy Hash: 7a7f192935387b0843170091fec31f7c7de30806e4e48adba5c7253609e2ce05
                                                                      • Instruction Fuzzy Hash: B0214871100204DFDB11DF48D9C0B56BF65FF84328F20C16DD9095B256C73AE446CAA1
                                                                      Function 0137D4C4 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1910176003.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_137d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd76f40b295841071191d0e69e69bee8656f8df7180f820406cdaa7318779dc0
                                                                      • Instruction ID: 164c6ead15597ebf7532b9b66c01f411e697d9ca24e2b8b2483f69de73d48ea1
                                                                      • Opcode Fuzzy Hash: dd76f40b295841071191d0e69e69bee8656f8df7180f820406cdaa7318779dc0
                                                                      • Instruction Fuzzy Hash: A5212271500244DFDB25DF58D9C0B2ABFA5FF8832CF24C669E9091B256C33AD456CBA2
                                                                      Function 0138D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1924550234.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_138d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4fe525d403c45a5ad86edf7d6317f6d6ab544ca51736af81b5c7b04d84d78602
                                                                      • Instruction ID: 17b582227c59ba50c3b5ae452d7ab4cebdbec33e3f05d3f282252574df9fdf76
                                                                      • Opcode Fuzzy Hash: 4fe525d403c45a5ad86edf7d6317f6d6ab544ca51736af81b5c7b04d84d78602
                                                                      • Instruction Fuzzy Hash: 542122B1604304DFDB15EF98D984B26BFA5FB84318F20C56DD80A4B396C33AD447CA61
                                                                      Function 0138D1D4 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1924550234.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_138d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e2013b76e85b53f978286a3a7e3ac2f14dd34f368c5101dda3a7ed2158e82a98
                                                                      • Instruction ID: 61a3dfae70a0d9a184ef69e204eb2d4ed61369908a82813830e3c6ff2770c5dd
                                                                      • Opcode Fuzzy Hash: e2013b76e85b53f978286a3a7e3ac2f14dd34f368c5101dda3a7ed2158e82a98
                                                                      • Instruction Fuzzy Hash: DF210471504304EFDB05EF98D9C0B26BBA5FB84328F20C66DE9094B296C336D846CA61
                                                                      Function 0137D4BF Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1910176003.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_137d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction ID: 8a61cf4dfc72df617740916029ca993d043a4a8a7e5c99a903196a6be2428730
                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction Fuzzy Hash: 7011B176504280CFDB16CF54D5C4B16BF71FF84328F24C6A9D9490B656C33AD45ACBA1
                                                                      Function 0137D3D3 Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1910176003.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_137d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction ID: 94101dce9425e5f52c1cc881209a065cf5be72b0b143a8691c2385effc11b4a3
                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                      • Instruction Fuzzy Hash: D711DC72404280DFDB12CF44D9C4B56BF72FB94328F24C2A9D9090B256C33AE45ACBA2
                                                                      Function 0138D1CF Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1924550234.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_138d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction ID: 9841a43a8e88af9aaa0ebbc2eebc8cb30730faf73c4fb76ae465926f7dd61242
                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction Fuzzy Hash: 1711BB75504380DFDB02DF58C5C4B15BFB1FB84328F24C6AAD8494B296C33AD40ACB61
                                                                      Function 0138D017 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1924550234.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_138d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction ID: af53d568839933dc112eab31eca0de8df607c81ea012b28f3e35ef4ab21a8390
                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                      • Instruction Fuzzy Hash: 7311BEB5504380CFDB12DF54D5C4B15BF61FB44318F24C6AAD8494B696C33AD40BCB61
                                                                      Function 0137D759 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1910176003.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_137d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 42e4387bfe9bc9ac38eb3c81fc0bcd0da68532c4e9c72924f4716fab1eaeb568
                                                                      • Instruction ID: 5130e817d049707e1bdfa6488b74c4027cdafa344bf19fac353eeb80a2fc305e
                                                                      • Opcode Fuzzy Hash: 42e4387bfe9bc9ac38eb3c81fc0bcd0da68532c4e9c72924f4716fab1eaeb568
                                                                      • Instruction Fuzzy Hash: 0501A7710083C49AE7215E6ACD84767FFECEF45328F18C52AED094A286C27D9840CA71
                                                                      Function 0137D758 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.1910176003.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_137d000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 99b9e5b71bf9ced22e87cc1b9772dd3b4f06a7e70f2bdb175a77f007d2083d83
                                                                      • Instruction ID: 1ab5dcf0d10a55c65a08f2ae43aeaa42b1b49f9c216738120206b4bc723f0627
                                                                      • Opcode Fuzzy Hash: 99b9e5b71bf9ced22e87cc1b9772dd3b4f06a7e70f2bdb175a77f007d2083d83
                                                                      • Instruction Fuzzy Hash: 32F062714083849EE7218E1ADD84B66FFE8EF55629F18C45AED484F286C2799844CAB1

                                                                      Execution Graph

                                                                      Execution Coverage:0.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:5
                                                                      Total number of Limit Nodes:1
                                                                      execution_graph 62193 13d2b60 LdrInitializeThunk 62195 13d2c00 62197 13d2c0a 62195->62197 62198 13d2c1f LdrInitializeThunk 62197->62198 62199 13d2c11 62197->62199

                                                                      Executed Functions

                                                                      Function 013D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 13d2c0a-13d2c0f 1 13d2c1f-13d2c26 LdrInitializeThunk 0->1 2 13d2c11-13d2c18 0->2
                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL(013EFD4F,000000FF,00000024,01486634,00000004,00000000,?,-00000018,7D810F61,?,?,013A8B12,?,?,?,?), ref: 013D2C24
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 8aae6cb4ebc02a51679b100cdc5eedd9c87adf5af78f344f4cd8ea65896d9fc5
                                                                      • Instruction ID: 15c3b7c43ec97361734baa26885384f78ebbb9aba6f32eb79e3d2e6b823790ec
                                                                      • Opcode Fuzzy Hash: 8aae6cb4ebc02a51679b100cdc5eedd9c87adf5af78f344f4cd8ea65896d9fc5
                                                                      • Instruction Fuzzy Hash: F9B09B72D015D5C5EE12E764560C717794077D0705F15C061D2030745F4738C5D5E275
                                                                      Function 013D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 4 13d2b60-13d2b6c LdrInitializeThunk
                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL(01400DBD,?,?,?,?,013F4302), ref: 013D2B6A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 240f27a792cb424027b6c9d7c58fb96a90ff1f5d41115a9b2853e528bd864fa8
                                                                      • Instruction ID: 0732a20255fcacc2bb272d7b921ad8e6cda7bbee61c81b68d23b90f46ef8cbfe
                                                                      • Opcode Fuzzy Hash: 240f27a792cb424027b6c9d7c58fb96a90ff1f5d41115a9b2853e528bd864fa8
                                                                      • Instruction Fuzzy Hash: 85900265602510039105715C4418616404A97E0205B55C061E1014594DC53589956225
                                                                      Function 013D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 6 13d2df0-13d2dfc LdrInitializeThunk
                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL(0140E73E,0000005A,0146D040,00000020,00000000,0146D040,00000080,013F4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,013DAE00), ref: 013D2DFA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 2eee65347ea214c86e72a976bfc764c68c71ece6c91fe0f781968b33e1944c45
                                                                      • Instruction ID: f21f99a503d12b3c22a35ffec948b3d191093d200eebf500980f951a579f6247
                                                                      • Opcode Fuzzy Hash: 2eee65347ea214c86e72a976bfc764c68c71ece6c91fe0f781968b33e1944c45
                                                                      • Instruction Fuzzy Hash: A190023560151413E111715C4508707004997D0245F95C452A042455CDD6668A56A221
                                                                      Function 013D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 5 13d2c70-13d2c7c LdrInitializeThunk
                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL(0138FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,013E7BE5,00001000,00004000,000000FF,?,00000000), ref: 013D2C7A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 9d7bf09c89eae3e4abfa639f127152bdafd52cf8ee3327c609547adb33bb7974
                                                                      • Instruction ID: 3fa071f6f3fbf6c24c97f3ceaafda12b4e46bc9afae37ed23931636b5101143a
                                                                      • Opcode Fuzzy Hash: 9d7bf09c89eae3e4abfa639f127152bdafd52cf8ee3327c609547adb33bb7974
                                                                      • Instruction Fuzzy Hash: 1A90023560159802E110715C840874A004597D0305F59C451A442465CDC6A589957221
                                                                      Function 013D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 7 13d35c0-13d35cc LdrInitializeThunk
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 51399ac9ffb2b243c77b739eb374c92c8ff43453cef1f0721fbb0632191dd371
                                                                      • Instruction ID: 5e027a6dff10189659c13b6745c2c46691b65f1c396b721cfe3564878da34af1
                                                                      • Opcode Fuzzy Hash: 51399ac9ffb2b243c77b739eb374c92c8ff43453cef1f0721fbb0632191dd371
                                                                      • Instruction Fuzzy Hash: 21900235A0561402E100715C4518706104597D0205F65C451A042456CDC7A58A5566A2
                                                                      Function 0042E8DD Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 8 42e8dd-42e8df 9 42e8e1-42e907 8->9 10 42e8b7-42e8b8 8->10 16 42e91b-42e91e 9->16 17 42e909-42e90b 9->17 12 42e8be-42e8c5 10->12 14 42e8c7-42e8c9 12->14 15 42e8d9-42e8dc 12->15 14->15 18 42e8cb-42e8d7 call 42e863 14->18 17->16 19 42e90d-42e919 call 42e863 17->19 18->15 19->16
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2187715067.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_42e000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 488100d8cbb77d35520776c25e53210ee0e44671820353f2150349199554be4b
                                                                      • Instruction ID: cf80e81f0ddde677eb7f8c52eba2ad7e2b5d66013716722d6d907c6d7acbb255
                                                                      • Opcode Fuzzy Hash: 488100d8cbb77d35520776c25e53210ee0e44671820353f2150349199554be4b
                                                                      • Instruction Fuzzy Hash: 67F04472B0123463D220319B7C06F6B66598BC0B64F99057BFE1CAB342F5A99D1242ED
                                                                      Function 0042E37E Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 24 42e37e-42e3a4 call 42e863 27 42e3a9-42e3b0 24->27 28 42e3bf-42e3c4 27->28 29 42e3c6-42e3cf 28->29 30 42e41e-42e423 28->30 31 42e3de-42e3e3 29->31 32 42e3f6-42e415 31->32 33 42e3e5-42e3f3 31->33 36 42e41b 32->36 33->32 36->30
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2187715067.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_42e000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 68e7c3cc5b655a2c18881d5957f2cc082f2a1984b945fd56a77916c7ddf188af
                                                                      • Instruction ID: 620758e5bfeec7d454602bdcd39fbc84bfd4df5d12d7fa408b5504131a588007
                                                                      • Opcode Fuzzy Hash: 68e7c3cc5b655a2c18881d5957f2cc082f2a1984b945fd56a77916c7ddf188af
                                                                      • Instruction Fuzzy Hash: 0501B971D0022856FB68FBA59C92FDE7778AB04304F4005DAB60CA7181EFB4568C8B95
                                                                      Function 0042E383 Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 37 42e383-42e3c4 call 42e863 41 42e3c6-42e3e3 37->41 42 42e41e-42e423 37->42 44 42e3f6-42e415 41->44 45 42e3e5-42e3f3 41->45 48 42e41b 44->48 45->44 48->42
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2187715067.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_42e000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cb43ce9780cbbeb687307c4a0133b4985792a505e7551cfd1e4746e046c68c26
                                                                      • Instruction ID: fa02b82f83d2b57f30124be931f9fed508280326a3613d618c2c7aa231130e18
                                                                      • Opcode Fuzzy Hash: cb43ce9780cbbeb687307c4a0133b4985792a505e7551cfd1e4746e046c68c26
                                                                      • Instruction Fuzzy Hash: A2018871D4022C56FB68FB959C92FEEB778AB04304F5006DAB60CA3181FFB4568C8B95
                                                                      Function 0042E89B Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 49 42e89b-42e89f 50 42e8a1-42e8a9 49->50 51 42e8ad-42e8b5 49->51 50->51 53 42e8b7-42e8b8 51->53 54 42e8be-42e8c5 53->54 55 42e8c7-42e8c9 54->55 56 42e8d9-42e8dc 54->56 55->56 57 42e8cb-42e8d7 call 42e863 55->57 57->56
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2187715067.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_42e000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 39a7869d32078324a04f3260f29ebff30baad3b6c3195159a13303c938b49850
                                                                      • Instruction ID: 2914dc4beb708d3812f23844ce428eb3568d8baa4cade632074ba0b68fea8034
                                                                      • Opcode Fuzzy Hash: 39a7869d32078324a04f3260f29ebff30baad3b6c3195159a13303c938b49850
                                                                      • Instruction Fuzzy Hash: EDE0E571B0122427C221665BAC05F677B68CFC2B24F49006AFD499B342D569AC0183E8
                                                                      Function 0042E724 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 60 42e724-42e72a 61 42e744-42e75e 60->61 62 42e72c-42e72d 60->62 63 42e764-42e775 61->63 62->61
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2187715067.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_42e000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fcfaf4cc809b523768dcb3ad02d94790eba89c6b1481b8e07808bfd07225e1c9
                                                                      • Instruction ID: 87ae84252e92c4618c92d52a42c1ff96d4df01b10b37dad19770904ab2772d23
                                                                      • Opcode Fuzzy Hash: fcfaf4cc809b523768dcb3ad02d94790eba89c6b1481b8e07808bfd07225e1c9
                                                                      • Instruction Fuzzy Hash: 9CF0E532640209AFD704DF51ED85AEB3368EF84350F088219F91C8B545D734D2058795
                                                                      Function 0042E8A3 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 66 42e8a3-42e8b5 68 42e8b7-42e8b8 66->68 69 42e8be-42e8c5 68->69 70 42e8c7-42e8c9 69->70 71 42e8d9-42e8dc 69->71 70->71 72 42e8cb-42e8d7 call 42e863 70->72 72->71
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2187715067.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_42e000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 28f5e612f479f8a387477922d3b98dc3a405dc01a4c2e86a51c4c3a341f83d84
                                                                      • Instruction ID: a7fd2963584621a78af88b5b398ec69ff6abaabe3df6566a0651cab44ab423e8
                                                                      • Opcode Fuzzy Hash: 28f5e612f479f8a387477922d3b98dc3a405dc01a4c2e86a51c4c3a341f83d84
                                                                      • Instruction Fuzzy Hash: F4E04836B0122467D220659B6C05F67775C8BC1B60F45007AFE0897341D5A5A90142E9
                                                                      Function 0042E733 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 64 42e733-42e75e 65 42e764-42e775 64->65
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2187715067.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_42e000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6ef528ffe0e170a3cef873f6df4c85ba0a2c463b2f6557ba9733242547fe666
                                                                      • Instruction ID: 7afdc5125c63738d28b1d0f49e6e34684628c59aeffbb44556952c0c0970db47
                                                                      • Opcode Fuzzy Hash: c6ef528ffe0e170a3cef873f6df4c85ba0a2c463b2f6557ba9733242547fe666
                                                                      • Instruction Fuzzy Hash: A6F01C76650309AFDB04CF99C881EEB73A9EF88750F04C159FD288B641E774EA10CBA1
                                                                      Function 0042E7C3 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 75 42e7c3-42e7d6 76 42e7dc-42e7e0 75->76
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2187715067.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_42e000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d323d543d917f45d49b36ff89283240008c49757f2bf0b73481cbbd4fdbcd21
                                                                      • Instruction ID: 5f8e7d88003c7b4f5144a9856a5fbfd15f060c851097c637d44b119f74364b9b
                                                                      • Opcode Fuzzy Hash: 4d323d543d917f45d49b36ff89283240008c49757f2bf0b73481cbbd4fdbcd21
                                                                      • Instruction Fuzzy Hash: C2C012716002086BD704DA98DC46F65339C9748614F444055B90C8B241D571B9104654

                                                                      Non-executed Functions

                                                                      Function 013D2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 273 13d2890-13d28b3 274 13d28b9-13d28cc 273->274 275 140a4bc-140a4c0 273->275 277 13d28dd-13d28df 274->277 278 13d28ce-13d28d7 274->278 275->274 276 140a4c6-140a4ca 275->276 276->274 279 140a4d0-140a4d4 276->279 281 13d28e1-13d28e5 277->281 278->277 280 140a57e-140a585 278->280 279->274 282 140a4da-140a4de 279->282 280->277 283 13d2988-13d298e 281->283 284 13d28eb-13d28fa 281->284 282->274 285 140a4e4-140a4eb 282->285 288 13d2908-13d290c 283->288 286 140a58a-140a58d 284->286 287 13d2900-13d2905 284->287 289 140a564-140a56c 285->289 290 140a4ed-140a4f4 285->290 286->288 287->288 288->281 291 13d290e-13d291b 288->291 289->274 292 140a572-140a576 289->292 293 140a4f6-140a4fe 290->293 294 140a50b 290->294 295 140a592-140a599 291->295 296 13d2921 291->296 292->274 297 140a57c call 13e0050 292->297 293->274 298 140a504-140a509 293->298 299 140a510-140a536 call 13e0050 294->299 304 140a5a1-140a5c9 call 13e0050 295->304 300 13d2924-13d2926 296->300 315 140a55d-140a55f 297->315 298->299 299->315 301 13d2928-13d292a 300->301 302 13d2993-13d2995 300->302 306 13d292c-13d292e 301->306 307 13d2946-13d2966 call 13e0050 301->307 302->301 310 13d2997-13d29b1 call 13e0050 302->310 306->307 312 13d2930-13d2944 call 13e0050 306->312 322 13d2969-13d2974 307->322 310->322 312->307 319 13d2981-13d2985 315->319 322->300 324 13d2976-13d2979 322->324 324->304 325 13d297f 324->325 325->319
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: ___swprintf_l
                                                                      • String ID:
                                                                      • API String ID: 48624451-0
                                                                      • Opcode ID: f6b3e6ccb82119f6e8ef31b86090be9ab55c5a5d26df87e201fb2a27e1ee18f7
                                                                      • Instruction ID: d1649848d5ed42342daa63b758d9c374d3546e6b22c2a509f8610a8d3c5a2933
                                                                      • Opcode Fuzzy Hash: f6b3e6ccb82119f6e8ef31b86090be9ab55c5a5d26df87e201fb2a27e1ee18f7
                                                                      • Instruction Fuzzy Hash: EF5107B7A04216BFCB21DFADD88097FFBB8BB08248714812AF465D3681D374DE1087A0
                                                                      Function 013AA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 326 13aa250-13aa26f 327 13aa58d-13aa594 326->327 328 13aa275-13aa291 326->328 327->328 331 13aa59a-13f79bb 327->331 329 13f79e6-13f79eb 328->329 330 13aa297-13aa2a0 328->330 330->329 332 13aa2a6-13aa2ac 330->332 331->328 336 13f79c1-13f79c6 331->336 334 13aa6ba-13aa6bc 332->334 335 13aa2b2-13aa2b4 332->335 337 13aa2ba-13aa2bd 334->337 338 13aa6c2 334->338 335->329 335->337 339 13aa473-13aa479 336->339 337->329 340 13aa2c3-13aa2c6 337->340 338->340 341 13aa2da-13aa2dd 340->341 342 13aa2c8-13aa2d1 340->342 345 13aa2e3-13aa32b 341->345 346 13aa6c7-13aa6d0 341->346 343 13f79cb-13f79d5 342->343 344 13aa2d7 342->344 348 13f79da-13f79e3 call 141f290 343->348 344->341 349 13aa330-13aa335 345->349 346->345 347 13aa6d6-13f79ff 346->347 347->348 348->329 350 13aa33b-13aa343 349->350 351 13aa47c-13aa47f 349->351 355 13aa34f-13aa35d 350->355 356 13aa345-13aa349 350->356 351->355 357 13aa485-13aa488 351->357 359 13aa48e-13aa49e 355->359 360 13aa363-13aa368 355->360 356->355 358 13aa59f-13aa5a8 356->358 357->359 361 13f7a16-13f7a19 357->361 362 13aa5aa-13aa5ac 358->362 363 13aa5c0-13aa5c3 358->363 359->361 366 13aa4a4-13aa4ad 359->366 364 13aa36c-13aa36e 360->364 361->364 365 13f7a1f-13f7a24 361->365 362->355 367 13aa5b2-13aa5bb 362->367 368 13aa5c9-13aa5cc 363->368 369 13f7a01 363->369 370 13f7a26 364->370 371 13aa374-13aa38c call 13aa6e0 364->371 372 13f7a2b 365->372 366->364 367->364 373 13f7a0c 368->373 374 13aa5d2-13aa5d5 368->374 369->373 370->372 379 13aa4b2-13aa4b9 371->379 380 13aa392-13aa3ba 371->380 376 13f7a2d-13f7a2f 372->376 373->361 374->362 376->339 378 13f7a35 376->378 381 13aa3bc-13aa3be 379->381 382 13aa4bf-13aa4c2 379->382 380->381 381->376 383 13aa3c4-13aa3cb 381->383 382->381 384 13aa4c8-13aa4d3 382->384 385 13aa3d1-13aa3d4 383->385 386 13f7ae0 383->386 384->349 388 13aa3e0-13aa3ea 385->388 387 13f7ae4-13f7afc call 141f290 386->387 387->339 388->387 389 13aa3f0-13aa40c call 13aa840 388->389 394 13aa412-13aa417 389->394 395 13aa5d7-13aa5e0 389->395 394->339 396 13aa419-13aa43d 394->396 397 13aa5e2-13aa5eb 395->397 398 13aa601-13aa603 395->398 399 13aa440-13aa443 396->399 397->398 400 13aa5ed-13aa5f1 397->400 401 13aa629-13aa631 398->401 402 13aa605-13aa623 call 1394508 398->402 403 13aa4d8-13aa4dc 399->403 404 13aa449-13aa44c 399->404 405 13aa681-13aa6ab RtlDebugPrintTimes 400->405 406 13aa5f7-13aa5fb 400->406 402->339 402->401 408 13f7a3a-13f7a42 403->408 409 13aa4e2-13aa4e5 403->409 410 13aa452-13aa454 404->410 411 13f7ad6 404->411 405->398 421 13aa6b1-13aa6b5 405->421 406->398 406->405 414 13aa634-13aa64a 408->414 418 13f7a48-13f7a4c 408->418 413 13aa4eb-13aa4ee 409->413 409->414 416 13aa45a-13aa461 410->416 417 13aa520-13aa539 call 13aa6e0 410->417 411->386 413->404 419 13aa4f4-13aa50c 413->419 414->419 424 13aa650-13aa659 414->424 422 13aa57b-13aa582 416->422 423 13aa467-13aa46c 416->423 435 13aa65e-13aa665 417->435 436 13aa53f-13aa567 417->436 418->414 425 13f7a52-13f7a5b 418->425 419->404 428 13aa512-13aa51b 419->428 421->398 422->388 431 13aa588 422->431 423->339 430 13aa46e 423->430 424->410 426 13f7a5d-13f7a60 425->426 427 13f7a85-13f7a87 425->427 432 13f7a6e-13f7a71 426->432 433 13f7a62-13f7a6c 426->433 427->414 434 13f7a8d-13f7a96 427->434 428->410 430->339 431->386 440 13f7a7e 432->440 441 13f7a73-13f7a7c 432->441 439 13f7a81 433->439 434->410 437 13aa66b-13aa66e 435->437 438 13aa569-13aa56b 435->438 436->438 437->438 442 13aa674-13aa67c 437->442 438->423 443 13aa571-13aa573 438->443 439->427 440->439 441->434 442->399 444 13aa579 443->444 445 13f7a9b-13f7aa4 443->445 444->422 445->444 446 13f7aaa-13f7ab0 445->446 446->444 447 13f7ab6-13f7abe 446->447 447->444 448 13f7ac4-13f7acf 447->448 448->447 449 13f7ad1 448->449 449->444
                                                                      Strings
                                                                      • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013F79FA
                                                                      • SsHd, xrefs: 013AA3E4
                                                                      • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013F79D5
                                                                      • RtlpFindActivationContextSection_CheckParameters, xrefs: 013F79D0, 013F79F5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                      • API String ID: 0-929470617
                                                                      • Opcode ID: 4158093a4b17d3012b0fc91f6b808ed99f691a1eebc1fb470a2d1a831a22d9ae
                                                                      • Instruction ID: 70601d82d2ca774b19af02c25376d37b72443f1ddbf2ad600e7aac9900392ebe
                                                                      • Opcode Fuzzy Hash: 4158093a4b17d3012b0fc91f6b808ed99f691a1eebc1fb470a2d1a831a22d9ae
                                                                      • Instruction Fuzzy Hash: D6E1D3726043028FEB25CE28C484B2ABBE5FB8522CF544A2DFAA5DB391D731D945CB51
                                                                      Function 013AD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013F936B
                                                                      • GsHd, xrefs: 013AD874
                                                                      • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013F9346
                                                                      • RtlpFindActivationContextSection_CheckParameters, xrefs: 013F9341, 013F9366
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                      • API String ID: 3446177414-576511823
                                                                      • Opcode ID: 95302bb0b5da4e9a60d6817fead8ba132aac77322bd4e3df6d16eb05f1f4eef3
                                                                      • Instruction ID: 9801416db1a48a2d3ec8b1ceb6d5eafa122adcb23680cfe5ab4846814f080ada
                                                                      • Opcode Fuzzy Hash: 95302bb0b5da4e9a60d6817fead8ba132aac77322bd4e3df6d16eb05f1f4eef3
                                                                      • Instruction Fuzzy Hash: 78E1A1706043468FEB24CF58C480B6ABBE5FF8831CF444A2DFA959B691D771E944CB42
                                                                      Function 013DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldvrm
                                                                      • String ID: +$-$0$0
                                                                      • API String ID: 1302938615-699404926
                                                                      • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                      • Instruction ID: 167425d8c3b4911529f715f06154e3335b24623e9ebf3830a08e04a83f0f4889
                                                                      • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                      • Instruction Fuzzy Hash: 3B81E472E052498FEF25CE6CE4517FEFFB1AF46368F1A4119D861A7299C7348840C761
                                                                      Function 01399126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: $$@
                                                                      • API String ID: 3446177414-1194432280
                                                                      • Opcode ID: f3b0c6f69e99dcc614e2e2eb4dd1ddb4b9ea99e8ada03ed168918de4cb8b40d0
                                                                      • Instruction ID: 458a66dbf6e94a4f1dc53d643a3926bfc137ead4dd79034cbda932571f3d3e7e
                                                                      • Opcode Fuzzy Hash: f3b0c6f69e99dcc614e2e2eb4dd1ddb4b9ea99e8ada03ed168918de4cb8b40d0
                                                                      • Instruction Fuzzy Hash: 0B810C72D00269DBDB35CB54CC44BEEB7B8AB48758F0041EAEA19B7650D7709E84CFA0
                                                                      Function 013BDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                      • API String ID: 3446177414-56086060
                                                                      • Opcode ID: eae830dcbc63258621954ffff170ead8a878eec89e38f023dd2fd5addd5ca341
                                                                      • Instruction ID: eb5430ce49ed4aa7774103c153329c605ebbc914292cea8855a6b157353f8223
                                                                      • Opcode Fuzzy Hash: eae830dcbc63258621954ffff170ead8a878eec89e38f023dd2fd5addd5ca341
                                                                      • Instruction Fuzzy Hash: 3C412832600745DFD722EF6CC485BAAB7B8EF0472CF14816DEA0147BA1DB78A884C791
                                                                      Function 01414755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • LdrpCheckRedirection, xrefs: 0141488F
                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01414899
                                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01414888
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                      • API String ID: 3446177414-3154609507
                                                                      • Opcode ID: b9b48c0561cad4bd2a29e3d5ae42de8aae195f1cfefe7e8e4ae2fd3668cb5a90
                                                                      • Instruction ID: 44fc32c90af61387e67352f4f9a46cf85e3c8df8252d8ffc23a2ff960bb44492
                                                                      • Opcode Fuzzy Hash: b9b48c0561cad4bd2a29e3d5ae42de8aae195f1cfefe7e8e4ae2fd3668cb5a90
                                                                      • Instruction Fuzzy Hash: 4D41D076A042518BCB22CE1DD840A2B7BE4AF89B50B0D056FED599B379D730D801CB81
                                                                      Function 013BDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                                      • API String ID: 3446177414-3526935505
                                                                      • Opcode ID: b6cec05e2f3b650f37638984b9f559b5fcbece9a53a003f533098395236a8bbc
                                                                      • Instruction ID: 13db29c9245a4347cbd7836b402b807d2ce8ed4d35d08e6dc1844f9fd68d8ba0
                                                                      • Opcode Fuzzy Hash: b6cec05e2f3b650f37638984b9f559b5fcbece9a53a003f533098395236a8bbc
                                                                      • Instruction Fuzzy Hash: 10312732104785DFD722EB6CC449BA9BBECEF01B5CF04409DE94687BA6D7B8A884C751
                                                                      Function 0138C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: $
                                                                      • API String ID: 3446177414-3993045852
                                                                      • Opcode ID: e9ad625c1387f9aedb6262858b305d8ed3bac800bb70195eb00c784d07fce3be
                                                                      • Instruction ID: dbddc7df30305e840e1bcccfca435d2d774c10a8ac6226de39de8d1d35719ab4
                                                                      • Opcode Fuzzy Hash: e9ad625c1387f9aedb6262858b305d8ed3bac800bb70195eb00c784d07fce3be
                                                                      • Instruction Fuzzy Hash: 01112132A04719EBDF15AF94E84869D7B71FF84778F108519F92A6B2E0CB755A40CF80
                                                                      Function 013BEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 14aed6bef8fe11cbd1c9555baaf48307db1f76dca2e62f8a421a79489b6184c9
                                                                      • Instruction ID: 0ababe388939a0bc9db4df87ca9f73643b4b8c620928236214c7ece8cbdce842
                                                                      • Opcode Fuzzy Hash: 14aed6bef8fe11cbd1c9555baaf48307db1f76dca2e62f8a421a79489b6184c9
                                                                      • Instruction Fuzzy Hash: CDE1F375D00608DFDB25CFA9C980ADDBBF9FF48318F14592AE646A7A61E730A941CF10
                                                                      Function 0140EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID:
                                                                      • API String ID: 3446177414-0
                                                                      • Opcode ID: beff610eabe25189e7ef32ca092eb8dd5cb195fd04c1a53325017498124475b2
                                                                      • Instruction ID: acb2f7e000c29854175f56e183fbe728592c21dda5836341d369c97e625dce1b
                                                                      • Opcode Fuzzy Hash: beff610eabe25189e7ef32ca092eb8dd5cb195fd04c1a53325017498124475b2
                                                                      • Instruction Fuzzy Hash: 4A710871E002199FDF16CFA6C984AEDBBB5BF48314F14403AE905FB2A4D774A909CB54
                                                                      Function 0140F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID:
                                                                      • API String ID: 3446177414-0
                                                                      • Opcode ID: b0ba533e3d59485aef29eb875353e665f12a0b0ae4bee988716888302d3d217a
                                                                      • Instruction ID: f364ff14da2a346377463af232846e67ad9e01919cd1f0ca23c5709570506061
                                                                      • Opcode Fuzzy Hash: b0ba533e3d59485aef29eb875353e665f12a0b0ae4bee988716888302d3d217a
                                                                      • Instruction Fuzzy Hash: BB513671E002199FDF16CF9AD845ADDBBB1BF88324F18803AE905B72A0D7349909CF54
                                                                      Function 013C7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                      • String ID:
                                                                      • API String ID: 4281723722-0
                                                                      • Opcode ID: f7bc3fb8a76293ac1b9573c5a8e0a95067209048f54bb6e6fc144ecacde24159
                                                                      • Instruction ID: cfc8d05c9d16bbf8882ee8c21c64f132603ee8b62b955b7360424b011f4ee88f
                                                                      • Opcode Fuzzy Hash: f7bc3fb8a76293ac1b9573c5a8e0a95067209048f54bb6e6fc144ecacde24159
                                                                      • Instruction Fuzzy Hash: 5F312671E006299FCF21DFA9E884AAEBBF0BB48724F14412AE911B73A4DB355901CF54
                                                                      Function 013959C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @
                                                                      • API String ID: 0-2766056989
                                                                      • Opcode ID: 6930770ba1e620fffd99919b2755e6d2ced5d1871b06ae70df962b1f5e737adb
                                                                      • Instruction ID: f84311dcd274dabe09d05c071c18a9bde54f8ae372f8e36c5ddee66c492eac19
                                                                      • Opcode Fuzzy Hash: 6930770ba1e620fffd99919b2755e6d2ced5d1871b06ae70df962b1f5e737adb
                                                                      • Instruction Fuzzy Hash: 39325A70D0426ADFEF26CF68C884BEDBBB5BB18308F0081EAD549A7641D7755A84CF91
                                                                      Function 013D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: __aulldvrm
                                                                      • String ID: +$-
                                                                      • API String ID: 1302938615-2137968064
                                                                      • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                      • Instruction ID: 78943ed4e37d51fe21d9b158687ca409cad2805a34fd85ec1b522a8bebecc8cc
                                                                      • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                      • Instruction Fuzzy Hash: 5291D073E0021A9BEB34CF6DE881ABEBBA9FF4432CF14455AE955E72C0D73099458B50
                                                                      Function 013AD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: Bl$l
                                                                      • API String ID: 3446177414-208461968
                                                                      • Opcode ID: 048e04e755fa94f617f4031b18679dc1363eee106576f212270a1951088664f0
                                                                      • Instruction ID: cd9df9fa6800faf077ed6fbdb5b8d6b79d5ab1a1434381fd2366b97af73abd85
                                                                      • Opcode Fuzzy Hash: 048e04e755fa94f617f4031b18679dc1363eee106576f212270a1951088664f0
                                                                      • Instruction Fuzzy Hash: DBA1D431A003298BEF31DF99C890BAEB7B5FB44308F4440E9D909A7A51DB74AE85CF51
                                                                      Function 013D5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __startOneArgErrorHandling.LIBCMT ref: 013D5E34
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorHandling__start
                                                                      • String ID: pow
                                                                      • API String ID: 3213639722-2276729525
                                                                      • Opcode ID: d252726aeaa244313bddc1375f0b09f94d0e86cfc9846c8e2788d6c59102268a
                                                                      • Instruction ID: d2c067882faa4098a92a43b4a12d47ce2f5315f809cf5d235b5deae7929044eb
                                                                      • Opcode Fuzzy Hash: d252726aeaa244313bddc1375f0b09f94d0e86cfc9846c8e2788d6c59102268a
                                                                      • Instruction Fuzzy Hash: 89516D73908206D7D722B72CF5013BEAFA8EB4274CF15CD58E4D98A2ADDB34C4998746
                                                                      Function 013C4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0$Flst
                                                                      • API String ID: 0-758220159
                                                                      • Opcode ID: 6d2db5a429a4683c7efc25940424ead5dee5f7246e0e69a5423476ea1ee95c2d
                                                                      • Instruction ID: 0080120f9cd51b09fda1d8432977ca6dacff73bb3515b1a3c7a629d92c8f866e
                                                                      • Opcode Fuzzy Hash: 6d2db5a429a4683c7efc25940424ead5dee5f7246e0e69a5423476ea1ee95c2d
                                                                      • Instruction Fuzzy Hash: 74515BB1E006188FDF26EF99D49866DFBF4EF44B18F14802ED0499B2A2E7719D45CB80
                                                                      Function 013BD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlDebugPrintTimes.NTDLL ref: 013BD959
                                                                        • Part of subcall function 01394859: RtlDebugPrintTimes.NTDLL ref: 013948F7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: $$$
                                                                      • API String ID: 3446177414-233714265
                                                                      • Opcode ID: 5d7b44955c26e3512d08df730cb475417e1341f49fc1e0814b1094c74d2f83de
                                                                      • Instruction ID: 608a365fc956bae115b02b305de36013bfb098f12af75741147e6f3a83f9ed2c
                                                                      • Opcode Fuzzy Hash: 5d7b44955c26e3512d08df730cb475417e1341f49fc1e0814b1094c74d2f83de
                                                                      • Instruction Fuzzy Hash: DE51DF71A0434A9FDB25DFA8D4847DDBFB1BF4831CF14805DCA09ABA95E774A981CB80
                                                                      Function 0140FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: $
                                                                      • API String ID: 3446177414-3993045852
                                                                      • Opcode ID: 8d932c8e2ac737b9345894a1681256258309ef78260c0f9e5697ad7f31abda94
                                                                      • Instruction ID: 8d4bf857b32dfcb78e32e90e0cd282cfd34a5f38c9ac6d3f64d0f33ea7faa97b
                                                                      • Opcode Fuzzy Hash: 8d932c8e2ac737b9345894a1681256258309ef78260c0f9e5697ad7f31abda94
                                                                      • Instruction Fuzzy Hash: 43416375900209ABDB22DF9AC840AEEBBB5FF88B14F14013AED05A7391D771DD15DBA0
                                                                      Function 0138DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2188495084.0000000001386000.00000040.00001000.00020000.00000000.sdmp, Offset: 01360000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001360000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001367000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.00000000013E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001422000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001483000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2188495084.0000000001489000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1360000_OyXCaSLaAXfAKx.jbxd
                                                                      Similarity
                                                                      • API ID: DebugPrintTimes
                                                                      • String ID: 0$0
                                                                      • API String ID: 3446177414-203156872
                                                                      • Opcode ID: 5d83accc1ebdb74a8157aaa759114b7b9775d381380fb70f209cc144ff27c045
                                                                      • Instruction ID: f0407ba01ff1d74c68d440ef9031a2ab138eb5293107fc2daa965e6c43d84a91
                                                                      • Opcode Fuzzy Hash: 5d83accc1ebdb74a8157aaa759114b7b9775d381380fb70f209cc144ff27c045
                                                                      • Instruction Fuzzy Hash: 86415EB26087069FD710DF2DD484A1ABBE4FB88318F04492EF588DB751D771EA09CB96