Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment details.exe

Overview

General Information

Sample name:Payment details.exe
Analysis ID:1432054
MD5:d88a9970ec7a11ade4a6dfc3d8150496
SHA1:90e72afbb1eed4c0f20fbc8a7ef5e3069ece0eef
SHA256:c159014c79f8dc4d7888b0c092286f9b47fb2b1497dfbfa7c0620d78257127e2
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment details.exe (PID: 4200 cmdline: "C:\Users\user\Desktop\Payment details.exe" MD5: D88A9970EC7A11ADE4A6DFC3D8150496)
    • Payment details.exe (PID: 6372 cmdline: "C:\Users\user\Desktop\Payment details.exe" MD5: D88A9970EC7A11ADE4A6DFC3D8150496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.teddyjnr.com", "Username": "cs2@teddyjnr.com", "Password": "Lisa#2022!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.Payment details.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.Payment details.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.Payment details.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334f9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3356b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335f5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33687:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336f1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33763:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337f9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33889:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Payment details.exe.36b7d78.10.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Payment details.exe.36b7d78.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 50.87.145.190, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Payment details.exe, Initiated: true, ProcessId: 6372, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49713

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.teddyjnr.com", "Username": "cs2@teddyjnr.com", "Password": "Lisa#2022!"}
                    Multi AV Scanner detection for submitted file
                    Source: Payment details.exeVirustotal: Detection: 70%Perma Link
                    Source: Payment details.exeReversingLabs: Detection: 71%
                    Machine Learning detection for sample
                    Source: Payment details.exeJoe Sandbox ML: detected
                    Source: Payment details.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49711 version: TLS 1.2
                    Source: Payment details.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 4x nop then jmp 06BE0CC4h0_2_06BE0211
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 4x nop then jmp 06BE0CC4h0_2_06BE0364
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 4x nop then jmp 06BE0CC4h0_2_06BE0AA9
                    Source: global trafficTCP traffic: 192.168.2.8:49713 -> 50.87.145.190:587
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.8:49713 -> 50.87.145.190:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.teddyjnr.com
                    Source: Payment details.exe, 00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.teddyjnr.com
                    Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710777307.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710777307.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: Payment details.exe, 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Payment details.exe, 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49711 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, 7KG.cs.Net Code: VWsZPXPZ

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: Payment details.exe, Form4.csLarge array initialization: : array initializer size 624245
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Payment details.exe
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_008CE0340_2_008CE034
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_04AF00230_2_04AF0023
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_04AF00400_2_04AF0040
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AE7B180_2_06AE7B18
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AEB4FF0_2_06AEB4FF
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AEB5000_2_06AEB500
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AEB0C80_2_06AEB0C8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AEB0C30_2_06AEB0C3
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AE1EBF0_2_06AE1EBF
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AE1EC00_2_06AE1EC0
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AEAC900_2_06AEAC90
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AE0BA00_2_06AE0BA0
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AECBF80_2_06AECBF8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AECBF30_2_06AECBF3
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AE7B130_2_06AE7B13
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AEA8580_2_06AEA858
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06BE20E80_2_06BE20E8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_0160A1983_2_0160A198
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_0160E5403_2_0160E540
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_0160B6C53_2_0160B6C5
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_0160A9603_2_0160A960
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_01604A983_2_01604A98
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_0160DCE83_2_0160DCE8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_01603E803_2_01603E80
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_0160DCE83_2_0160DCE8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_016041C83_2_016041C8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DF66F83_2_06DF66F8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DF7E903_2_06DF7E90
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DF56A03_2_06DF56A0
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DF23503_2_06DF2350
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DFB3483_2_06DFB348
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DF77B03_2_06DF77B0
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DFE4C83_2_06DFE4C8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DF5DF83_2_06DF5DF8
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DF00403_2_06DF0040
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_074833D03_2_074833D0
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_06DF00073_2_06DF0007
                    Source: Payment details.exe, 00000000.00000002.1513799823.000000000402E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Payment details.exe
                    Source: Payment details.exe, 00000000.00000002.1517381828.0000000004D80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Payment details.exe
                    Source: Payment details.exe, 00000000.00000002.1510628607.00000000008DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment details.exe
                    Source: Payment details.exe, 00000000.00000002.1512302122.0000000002695000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0f347a7e-8916-44ab-95d4-6c89075a4b35.exe4 vs Payment details.exe
                    Source: Payment details.exe, 00000000.00000002.1512302122.0000000002651000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Payment details.exe
                    Source: Payment details.exe, 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename0f347a7e-8916-44ab-95d4-6c89075a4b35.exe4 vs Payment details.exe
                    Source: Payment details.exe, 00000000.00000002.1520568404.000000000AC80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Payment details.exe
                    Source: Payment details.exe, 00000003.00000002.2710626788.0000000000F99000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment details.exe
                    Source: Payment details.exe, 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename0f347a7e-8916-44ab-95d4-6c89075a4b35.exe4 vs Payment details.exe
                    Source: Payment details.exeBinary or memory string: OriginalFilenameKuVx.exeL vs Payment details.exe
                    Source: Payment details.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Payment details.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, UZVZoEDHpoVLjqNChJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, UZVZoEDHpoVLjqNChJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, UZVZoEDHpoVLjqNChJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\Payment details.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment details.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\Payment details.exeMutant created: \Sessions\1\BaseNamedObjects\qdYnAdpdUHRUuIKSU
                    Source: Payment details.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Payment details.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Payment details.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Payment details.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Payment details.exeVirustotal: Detection: 70%
                    Source: Payment details.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\Desktop\Payment details.exeFile read: C:\Users\user\Desktop\Payment details.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Payment details.exe "C:\Users\user\Desktop\Payment details.exe"
                    Source: C:\Users\user\Desktop\Payment details.exeProcess created: C:\Users\user\Desktop\Payment details.exe "C:\Users\user\Desktop\Payment details.exe"
                    Source: C:\Users\user\Desktop\Payment details.exeProcess created: C:\Users\user\Desktop\Payment details.exe "C:\Users\user\Desktop\Payment details.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Payment details.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Payment details.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Payment details.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.cs.Net Code: vL3RCssoS7 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.cs.Net Code: vL3RCssoS7 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.cs.Net Code: vL3RCssoS7 System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AE7739 push ds; ret 0_2_06AE773A
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AEF380 push esp; ret 0_2_06AEF381
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AE8FA8 pushad ; ret 0_2_06AE8FA9
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 0_2_06AE6C38 push ss; ret 0_2_06AE6C3A
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_01600CB5 push edi; ret 3_2_01600CC2
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_01600C95 push edi; retf 3_2_01600C3A
                    Source: C:\Users\user\Desktop\Payment details.exeCode function: 3_2_074811B0 push es; ret 3_2_074811C0
                    Source: Payment details.exeStatic PE information: section name: .text entropy: 7.878264243644894
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, x1B8hexi7GdbtBIh7Q.csHigh entropy of concatenated method names: 'UrDrcrDsYH', 'YA7r5lLmgJ', 'VAKrClt89M', 'mKNr6AxPPP', 'rmFrh2tiga', 'D1LrURP2Z9', 'opsraNqyWt', 'OMYrypoIaa', 'n0Ocvhwcu3m5ksJ9f24', 'XGdbnCwZGNbuQ8Oa2IE'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, CIfLtp8bAODgXWbeaD.csHigh entropy of concatenated method names: 'CxI2VNSOhc', 'XZw2anMnKT', 'Ug32MhDNNi', 'XcB2kpxnso', 'uT92dqCx4O', 'AKh2LDE8rS', 'rKB2xIaL3l', 'qRb2SrSRij', 'svY2Xtlr83', 'yip2FNL5qr'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, VkT0kaHH30wdrJH2KoK.csHigh entropy of concatenated method names: 'ToString', 'rgL3uvfJss', 'yrG3RfTNgo', 'y7f39PUIUE', 'FbQ3mhOx3c', 'dAZ3KfLxh1', 'iqM3Hu2FI6', 'ak83j48wSu', 'ebX4JJtBcdTujFnvVJr', 'rk2dQNtrrZNiA8hWPal'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, i3O3Pj45OPHVIZdAWo.csHigh entropy of concatenated method names: 'FJGEYus1Ot', 'ihVEAmfq4N', 'l5psJX3fti', 'owLsNInIBW', 'ddREFnmlue', 'sfeEgMiOfc', 'IRWEOL0BcI', 'LN1EeiSeAe', 'ToYEBMsVSW', 'SxJEvaorx5'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, HGySSrHliPOapMJASi7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oXw3etXfOX', 'cO83BiIqZi', 'GAP3vbEk4m', 'WFg3GVSYAN', 'sNE3qUBPk6', 'ShY31L6Jde', 'PWH3TYajbq'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.csHigh entropy of concatenated method names: 'YsMu9goMHo', 'n0gumj8XL9', 'wL1uKkvsy0', 'ci3uHHVp7t', 'L1Yuj9HeIv', 'LwNurZX1gs', 'uRuuoY7XUt', 'Ebbunmhvnj', 'H4Hu0lVQ2Z', 'a1kuf3PCEG'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, CJmfd4WH4nChh1KFbY.csHigh entropy of concatenated method names: 'oEaEfuTKuA', 'T1BEba2EaG', 'ToString', 'TydEmxSZR6', 'RkWEKyZ4Ug', 'X8NEHmYpRQ', 'jfuEj8MRbb', 'YY6ErSPdFV', 'cVlEo7FK7Q', 'SiBEn2wQkJ'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, UIsVYqOQLU5Cs3K2UW.csHigh entropy of concatenated method names: 'PCpjPhrhMw', 'p0djUxW5ms', 'PwxHDcilX0', 'DhjHdjoAJr', 'pryHLbwEqQ', 'PgRHWiwLGV', 'xKyHxCZGI7', 'hOYHSglvaE', 'I2lHpJ0oef', 'sfJHXJiSAo'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, UZVZoEDHpoVLjqNChJ.csHigh entropy of concatenated method names: 'sfNKe4S0rT', 'ryKKBhIOGV', 'XLPKvsnbIL', 't1hKGuMh0o', 'tNJKq3OfI5', 'EExK11QPvK', 'mcZKTA1o3H', 'BLQKYAVyJV', 'XkkK8Fd2uO', 'ysmKALgM5n'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, UCivs3bd6ZHsjPWage.csHigh entropy of concatenated method names: 'K9Gsmpe9Xx', 'wXtsKk2wGQ', 'G8msH9j0p3', 'p6gsjDgg3i', 'YefsrB5Dnr', 'bFnsotamLH', 'spnsnWmAL9', 'G38s0QrJOT', 'mXMsfvaqms', 'zqOsbL4ipe'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, Du9TFDHBwOHsEU2frQV.csHigh entropy of concatenated method names: 'RjPI5h9mcW', 'XWGIQwYEEi', 'XKFIC8sYIE', 'vfpI6YbYw8', 'PGwIPpt2w6', 'zhoIhoopMx', 'i02IUt7VUo', 'E5XIVbKEta', 'SlVIa2EBAN', 'B8OIy0TgL0'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, dLsb5Uc8P80NOQC4lq.csHigh entropy of concatenated method names: 'aHMINcBh2s', 'DWWIuyNDdt', 'HynIR5xywh', 'HTZImOfopx', 'rIxIKnnrJd', 'lRgIjvLA7J', 'qEaIr3wTAQ', 'nkOsTCxAv0', 'hnQsY0lnoP', 'Ehts8eMkaG'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, EZWxpHzGjAS1YR9evs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jLgI2tuI7s', 'O9kIlPub1N', 'UDHIwR8yqj', 'SjkIEkOj44', 'ygYIsUTjMg', 'cO6II3opw6', 'TuiI3rMKU4'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, dQ34efIVneJTi0l4MZ.csHigh entropy of concatenated method names: 'ISiH6LA8yq', 'UHuHhWrn1X', 'XgnHVIt45Z', 'JrdHaxEK6M', 'MhEHllJgb0', 'RiPHwQuI5a', 'bSfHEuK1dY', 'd6QHsBtan6', 'dudHIaiqwD', 'DxnH30gBK2'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, QVqwBsQtuK0eguTdxM.csHigh entropy of concatenated method names: 'h7yr9bAbOy', 'Ei9rKQNHjG', 'uHGrj2h4hh', 'sFyroj997G', 'gGgrnauReM', 'hlOjqLFpyc', 'D53j14EOEE', 'GtrjTduKwu', 'li3jYjal9N', 'SNcj8NhxIl'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, MTfbaUAdhDRksDk6NZ.csHigh entropy of concatenated method names: 'Dispose', 'lhgN8Ks7Zw', 'Md7Zk1atdq', 'NKqiisP00L', 'veVNAoC2HV', 'L98NzMFvdm', 'ProcessDialogKey', 'siRZJ8q2MU', 'JClZNjCKYA', 'I6LZZclVFo'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, MgFmQbZoixFd3sa9Zx.csHigh entropy of concatenated method names: 'Qlxo5isRu9', 'CwboQLLqX9', 'Pu1oCHYkkt', 'mEto62dJqk', 'aKMoPHG29n', 'NKQohy3miB', 'YDfoUqg0lc', 'iEioV6GX9V', 'pWYoaZYXVi', 'bumoyiPKkB'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, je50eF3J6M7NjU5sUi.csHigh entropy of concatenated method names: 'PGAsMEcZbX', 'nOKsklMDUp', 'SkusD8OPc8', 'roVsdkoVOt', 'EbpsebKF2t', 'JfJsLv1WT0', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, CQg2GvSkepLbbBqnWo.csHigh entropy of concatenated method names: 'GvNCP7AVe', 'MJE6Uv7kn', 'jgQhF2CNJ', 'K3JUI1U7P', 'Mfwa5C3Ks', 'CXJyPOJ1m', 'eTo4LmDQBJqj67nKi7', 'Gi17C8qycHAL4c7n4L', 'calsv40Gn', 'g5w3xWbds'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, NMrhkP9rN3bakowSji.csHigh entropy of concatenated method names: 'gNZNoKHyqH', 'NUBNnmCAp6', 'wesNfQmg2X', 'nf7NbVXqBq', 'dqPNlP78pq', 'LqLNw36qI7', 'PT9ZwKK5dN3dIS0x8r', 'AcIdkHyWD71NxdbKWg', 'nkeNNYG3hC', 'XC6Nukj2va'
                    Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, OURUepHS0rINJ6GuUfW.csHigh entropy of concatenated method names: 'fKB35ugJWj', 'RUV3QFSnHD', 'pFE3CMbNe5', 'Ip8H8ttL1yfTpACHPNl', 'KEcN6gt0e0lGFqO0Rrs', 'IPODyNt5xsNiseybys5', 'oJWUY7tah4dY5PEdg7u'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, x1B8hexi7GdbtBIh7Q.csHigh entropy of concatenated method names: 'UrDrcrDsYH', 'YA7r5lLmgJ', 'VAKrClt89M', 'mKNr6AxPPP', 'rmFrh2tiga', 'D1LrURP2Z9', 'opsraNqyWt', 'OMYrypoIaa', 'n0Ocvhwcu3m5ksJ9f24', 'XGdbnCwZGNbuQ8Oa2IE'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, CIfLtp8bAODgXWbeaD.csHigh entropy of concatenated method names: 'CxI2VNSOhc', 'XZw2anMnKT', 'Ug32MhDNNi', 'XcB2kpxnso', 'uT92dqCx4O', 'AKh2LDE8rS', 'rKB2xIaL3l', 'qRb2SrSRij', 'svY2Xtlr83', 'yip2FNL5qr'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, VkT0kaHH30wdrJH2KoK.csHigh entropy of concatenated method names: 'ToString', 'rgL3uvfJss', 'yrG3RfTNgo', 'y7f39PUIUE', 'FbQ3mhOx3c', 'dAZ3KfLxh1', 'iqM3Hu2FI6', 'ak83j48wSu', 'ebX4JJtBcdTujFnvVJr', 'rk2dQNtrrZNiA8hWPal'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, i3O3Pj45OPHVIZdAWo.csHigh entropy of concatenated method names: 'FJGEYus1Ot', 'ihVEAmfq4N', 'l5psJX3fti', 'owLsNInIBW', 'ddREFnmlue', 'sfeEgMiOfc', 'IRWEOL0BcI', 'LN1EeiSeAe', 'ToYEBMsVSW', 'SxJEvaorx5'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, HGySSrHliPOapMJASi7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oXw3etXfOX', 'cO83BiIqZi', 'GAP3vbEk4m', 'WFg3GVSYAN', 'sNE3qUBPk6', 'ShY31L6Jde', 'PWH3TYajbq'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.csHigh entropy of concatenated method names: 'YsMu9goMHo', 'n0gumj8XL9', 'wL1uKkvsy0', 'ci3uHHVp7t', 'L1Yuj9HeIv', 'LwNurZX1gs', 'uRuuoY7XUt', 'Ebbunmhvnj', 'H4Hu0lVQ2Z', 'a1kuf3PCEG'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, CJmfd4WH4nChh1KFbY.csHigh entropy of concatenated method names: 'oEaEfuTKuA', 'T1BEba2EaG', 'ToString', 'TydEmxSZR6', 'RkWEKyZ4Ug', 'X8NEHmYpRQ', 'jfuEj8MRbb', 'YY6ErSPdFV', 'cVlEo7FK7Q', 'SiBEn2wQkJ'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, UIsVYqOQLU5Cs3K2UW.csHigh entropy of concatenated method names: 'PCpjPhrhMw', 'p0djUxW5ms', 'PwxHDcilX0', 'DhjHdjoAJr', 'pryHLbwEqQ', 'PgRHWiwLGV', 'xKyHxCZGI7', 'hOYHSglvaE', 'I2lHpJ0oef', 'sfJHXJiSAo'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, UZVZoEDHpoVLjqNChJ.csHigh entropy of concatenated method names: 'sfNKe4S0rT', 'ryKKBhIOGV', 'XLPKvsnbIL', 't1hKGuMh0o', 'tNJKq3OfI5', 'EExK11QPvK', 'mcZKTA1o3H', 'BLQKYAVyJV', 'XkkK8Fd2uO', 'ysmKALgM5n'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, UCivs3bd6ZHsjPWage.csHigh entropy of concatenated method names: 'K9Gsmpe9Xx', 'wXtsKk2wGQ', 'G8msH9j0p3', 'p6gsjDgg3i', 'YefsrB5Dnr', 'bFnsotamLH', 'spnsnWmAL9', 'G38s0QrJOT', 'mXMsfvaqms', 'zqOsbL4ipe'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, Du9TFDHBwOHsEU2frQV.csHigh entropy of concatenated method names: 'RjPI5h9mcW', 'XWGIQwYEEi', 'XKFIC8sYIE', 'vfpI6YbYw8', 'PGwIPpt2w6', 'zhoIhoopMx', 'i02IUt7VUo', 'E5XIVbKEta', 'SlVIa2EBAN', 'B8OIy0TgL0'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, dLsb5Uc8P80NOQC4lq.csHigh entropy of concatenated method names: 'aHMINcBh2s', 'DWWIuyNDdt', 'HynIR5xywh', 'HTZImOfopx', 'rIxIKnnrJd', 'lRgIjvLA7J', 'qEaIr3wTAQ', 'nkOsTCxAv0', 'hnQsY0lnoP', 'Ehts8eMkaG'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, EZWxpHzGjAS1YR9evs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jLgI2tuI7s', 'O9kIlPub1N', 'UDHIwR8yqj', 'SjkIEkOj44', 'ygYIsUTjMg', 'cO6II3opw6', 'TuiI3rMKU4'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, dQ34efIVneJTi0l4MZ.csHigh entropy of concatenated method names: 'ISiH6LA8yq', 'UHuHhWrn1X', 'XgnHVIt45Z', 'JrdHaxEK6M', 'MhEHllJgb0', 'RiPHwQuI5a', 'bSfHEuK1dY', 'd6QHsBtan6', 'dudHIaiqwD', 'DxnH30gBK2'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, QVqwBsQtuK0eguTdxM.csHigh entropy of concatenated method names: 'h7yr9bAbOy', 'Ei9rKQNHjG', 'uHGrj2h4hh', 'sFyroj997G', 'gGgrnauReM', 'hlOjqLFpyc', 'D53j14EOEE', 'GtrjTduKwu', 'li3jYjal9N', 'SNcj8NhxIl'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, MTfbaUAdhDRksDk6NZ.csHigh entropy of concatenated method names: 'Dispose', 'lhgN8Ks7Zw', 'Md7Zk1atdq', 'NKqiisP00L', 'veVNAoC2HV', 'L98NzMFvdm', 'ProcessDialogKey', 'siRZJ8q2MU', 'JClZNjCKYA', 'I6LZZclVFo'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, MgFmQbZoixFd3sa9Zx.csHigh entropy of concatenated method names: 'Qlxo5isRu9', 'CwboQLLqX9', 'Pu1oCHYkkt', 'mEto62dJqk', 'aKMoPHG29n', 'NKQohy3miB', 'YDfoUqg0lc', 'iEioV6GX9V', 'pWYoaZYXVi', 'bumoyiPKkB'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, je50eF3J6M7NjU5sUi.csHigh entropy of concatenated method names: 'PGAsMEcZbX', 'nOKsklMDUp', 'SkusD8OPc8', 'roVsdkoVOt', 'EbpsebKF2t', 'JfJsLv1WT0', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, CQg2GvSkepLbbBqnWo.csHigh entropy of concatenated method names: 'GvNCP7AVe', 'MJE6Uv7kn', 'jgQhF2CNJ', 'K3JUI1U7P', 'Mfwa5C3Ks', 'CXJyPOJ1m', 'eTo4LmDQBJqj67nKi7', 'Gi17C8qycHAL4c7n4L', 'calsv40Gn', 'g5w3xWbds'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, NMrhkP9rN3bakowSji.csHigh entropy of concatenated method names: 'gNZNoKHyqH', 'NUBNnmCAp6', 'wesNfQmg2X', 'nf7NbVXqBq', 'dqPNlP78pq', 'LqLNw36qI7', 'PT9ZwKK5dN3dIS0x8r', 'AcIdkHyWD71NxdbKWg', 'nkeNNYG3hC', 'XC6Nukj2va'
                    Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, OURUepHS0rINJ6GuUfW.csHigh entropy of concatenated method names: 'fKB35ugJWj', 'RUV3QFSnHD', 'pFE3CMbNe5', 'Ip8H8ttL1yfTpACHPNl', 'KEcN6gt0e0lGFqO0Rrs', 'IPODyNt5xsNiseybys5', 'oJWUY7tah4dY5PEdg7u'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, x1B8hexi7GdbtBIh7Q.csHigh entropy of concatenated method names: 'UrDrcrDsYH', 'YA7r5lLmgJ', 'VAKrClt89M', 'mKNr6AxPPP', 'rmFrh2tiga', 'D1LrURP2Z9', 'opsraNqyWt', 'OMYrypoIaa', 'n0Ocvhwcu3m5ksJ9f24', 'XGdbnCwZGNbuQ8Oa2IE'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, CIfLtp8bAODgXWbeaD.csHigh entropy of concatenated method names: 'CxI2VNSOhc', 'XZw2anMnKT', 'Ug32MhDNNi', 'XcB2kpxnso', 'uT92dqCx4O', 'AKh2LDE8rS', 'rKB2xIaL3l', 'qRb2SrSRij', 'svY2Xtlr83', 'yip2FNL5qr'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, VkT0kaHH30wdrJH2KoK.csHigh entropy of concatenated method names: 'ToString', 'rgL3uvfJss', 'yrG3RfTNgo', 'y7f39PUIUE', 'FbQ3mhOx3c', 'dAZ3KfLxh1', 'iqM3Hu2FI6', 'ak83j48wSu', 'ebX4JJtBcdTujFnvVJr', 'rk2dQNtrrZNiA8hWPal'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, i3O3Pj45OPHVIZdAWo.csHigh entropy of concatenated method names: 'FJGEYus1Ot', 'ihVEAmfq4N', 'l5psJX3fti', 'owLsNInIBW', 'ddREFnmlue', 'sfeEgMiOfc', 'IRWEOL0BcI', 'LN1EeiSeAe', 'ToYEBMsVSW', 'SxJEvaorx5'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, HGySSrHliPOapMJASi7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oXw3etXfOX', 'cO83BiIqZi', 'GAP3vbEk4m', 'WFg3GVSYAN', 'sNE3qUBPk6', 'ShY31L6Jde', 'PWH3TYajbq'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.csHigh entropy of concatenated method names: 'YsMu9goMHo', 'n0gumj8XL9', 'wL1uKkvsy0', 'ci3uHHVp7t', 'L1Yuj9HeIv', 'LwNurZX1gs', 'uRuuoY7XUt', 'Ebbunmhvnj', 'H4Hu0lVQ2Z', 'a1kuf3PCEG'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, CJmfd4WH4nChh1KFbY.csHigh entropy of concatenated method names: 'oEaEfuTKuA', 'T1BEba2EaG', 'ToString', 'TydEmxSZR6', 'RkWEKyZ4Ug', 'X8NEHmYpRQ', 'jfuEj8MRbb', 'YY6ErSPdFV', 'cVlEo7FK7Q', 'SiBEn2wQkJ'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, UIsVYqOQLU5Cs3K2UW.csHigh entropy of concatenated method names: 'PCpjPhrhMw', 'p0djUxW5ms', 'PwxHDcilX0', 'DhjHdjoAJr', 'pryHLbwEqQ', 'PgRHWiwLGV', 'xKyHxCZGI7', 'hOYHSglvaE', 'I2lHpJ0oef', 'sfJHXJiSAo'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, UZVZoEDHpoVLjqNChJ.csHigh entropy of concatenated method names: 'sfNKe4S0rT', 'ryKKBhIOGV', 'XLPKvsnbIL', 't1hKGuMh0o', 'tNJKq3OfI5', 'EExK11QPvK', 'mcZKTA1o3H', 'BLQKYAVyJV', 'XkkK8Fd2uO', 'ysmKALgM5n'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, UCivs3bd6ZHsjPWage.csHigh entropy of concatenated method names: 'K9Gsmpe9Xx', 'wXtsKk2wGQ', 'G8msH9j0p3', 'p6gsjDgg3i', 'YefsrB5Dnr', 'bFnsotamLH', 'spnsnWmAL9', 'G38s0QrJOT', 'mXMsfvaqms', 'zqOsbL4ipe'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, Du9TFDHBwOHsEU2frQV.csHigh entropy of concatenated method names: 'RjPI5h9mcW', 'XWGIQwYEEi', 'XKFIC8sYIE', 'vfpI6YbYw8', 'PGwIPpt2w6', 'zhoIhoopMx', 'i02IUt7VUo', 'E5XIVbKEta', 'SlVIa2EBAN', 'B8OIy0TgL0'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, dLsb5Uc8P80NOQC4lq.csHigh entropy of concatenated method names: 'aHMINcBh2s', 'DWWIuyNDdt', 'HynIR5xywh', 'HTZImOfopx', 'rIxIKnnrJd', 'lRgIjvLA7J', 'qEaIr3wTAQ', 'nkOsTCxAv0', 'hnQsY0lnoP', 'Ehts8eMkaG'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, EZWxpHzGjAS1YR9evs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jLgI2tuI7s', 'O9kIlPub1N', 'UDHIwR8yqj', 'SjkIEkOj44', 'ygYIsUTjMg', 'cO6II3opw6', 'TuiI3rMKU4'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, dQ34efIVneJTi0l4MZ.csHigh entropy of concatenated method names: 'ISiH6LA8yq', 'UHuHhWrn1X', 'XgnHVIt45Z', 'JrdHaxEK6M', 'MhEHllJgb0', 'RiPHwQuI5a', 'bSfHEuK1dY', 'd6QHsBtan6', 'dudHIaiqwD', 'DxnH30gBK2'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, QVqwBsQtuK0eguTdxM.csHigh entropy of concatenated method names: 'h7yr9bAbOy', 'Ei9rKQNHjG', 'uHGrj2h4hh', 'sFyroj997G', 'gGgrnauReM', 'hlOjqLFpyc', 'D53j14EOEE', 'GtrjTduKwu', 'li3jYjal9N', 'SNcj8NhxIl'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, MTfbaUAdhDRksDk6NZ.csHigh entropy of concatenated method names: 'Dispose', 'lhgN8Ks7Zw', 'Md7Zk1atdq', 'NKqiisP00L', 'veVNAoC2HV', 'L98NzMFvdm', 'ProcessDialogKey', 'siRZJ8q2MU', 'JClZNjCKYA', 'I6LZZclVFo'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, MgFmQbZoixFd3sa9Zx.csHigh entropy of concatenated method names: 'Qlxo5isRu9', 'CwboQLLqX9', 'Pu1oCHYkkt', 'mEto62dJqk', 'aKMoPHG29n', 'NKQohy3miB', 'YDfoUqg0lc', 'iEioV6GX9V', 'pWYoaZYXVi', 'bumoyiPKkB'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, je50eF3J6M7NjU5sUi.csHigh entropy of concatenated method names: 'PGAsMEcZbX', 'nOKsklMDUp', 'SkusD8OPc8', 'roVsdkoVOt', 'EbpsebKF2t', 'JfJsLv1WT0', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, CQg2GvSkepLbbBqnWo.csHigh entropy of concatenated method names: 'GvNCP7AVe', 'MJE6Uv7kn', 'jgQhF2CNJ', 'K3JUI1U7P', 'Mfwa5C3Ks', 'CXJyPOJ1m', 'eTo4LmDQBJqj67nKi7', 'Gi17C8qycHAL4c7n4L', 'calsv40Gn', 'g5w3xWbds'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, NMrhkP9rN3bakowSji.csHigh entropy of concatenated method names: 'gNZNoKHyqH', 'NUBNnmCAp6', 'wesNfQmg2X', 'nf7NbVXqBq', 'dqPNlP78pq', 'LqLNw36qI7', 'PT9ZwKK5dN3dIS0x8r', 'AcIdkHyWD71NxdbKWg', 'nkeNNYG3hC', 'XC6Nukj2va'
                    Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, OURUepHS0rINJ6GuUfW.csHigh entropy of concatenated method names: 'fKB35ugJWj', 'RUV3QFSnHD', 'pFE3CMbNe5', 'Ip8H8ttL1yfTpACHPNl', 'KEcN6gt0e0lGFqO0Rrs', 'IPODyNt5xsNiseybys5', 'oJWUY7tah4dY5PEdg7u'
                    Source: C:\Users\user\Desktop\Payment details.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 8C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 2650000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 24B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 86E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 68D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 96E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: A6E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: AD00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 86E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 1600000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: 2E80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeWindow / User API: threadDelayed 4154Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeWindow / User API: threadDelayed 1322Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 7124Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 2772Thread sleep count: 4154 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 2772Thread sleep count: 1322 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -99654s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -99531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -99421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -99302s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -99172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -99047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -98047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -97936s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -97828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -97688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -97563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -97438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -97313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -97203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -97094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -96969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exe TID: 3272Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Payment details.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 99654Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 99421Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 99302Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 99172Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 99047Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98937Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98719Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98484Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98375Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98265Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98156Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 98047Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 97936Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 97828Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 97688Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 97438Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 97313Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 97203Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 97094Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 96969Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Payment details.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Payment details.exeMemory written: C:\Users\user\Desktop\Payment details.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeProcess created: C:\Users\user\Desktop\Payment details.exe "C:\Users\user\Desktop\Payment details.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Users\user\Desktop\Payment details.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Users\user\Desktop\Payment details.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Payment details.exe PID: 4200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Payment details.exe PID: 6372, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Payment details.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Payment details.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Payment details.exe PID: 4200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Payment details.exe PID: 6372, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Payment details.exe PID: 4200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Payment details.exe PID: 6372, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Payment details.exe71%VirustotalBrowse
                    Payment details.exe71%ReversingLabsWin32.Trojan.Jalapeno
                    Payment details.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.teddyjnr.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://r3.i.lencr.org/00%URL Reputationsafe
                    http://mail.teddyjnr.com0%Avira URL Cloudsafe
                    http://mail.teddyjnr.com0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		high
                      mail.teddyjnr.com
                      		50.87.145.190
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://r3.o.lencr.org0Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710777307.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.orgPayment details.exe, 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://account.dyn.com/Payment details.exe, 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org/tPayment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://mail.teddyjnr.comPayment details.exe, 00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://x1.c.lencr.org/0Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://x1.i.lencr.org/0Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://r3.i.lencr.org/0Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710777307.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.26.13.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse
                                50.87.145.190
                                		mail.teddyjnr.comUnited States
                                		46606UNIFIEDLAYER-AS-1UStrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1432054
                                Start date and time:2024-04-26 11:08:11 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 6s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:8
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Payment details.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 97
                                • Number of non-executed functions: 13
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:09:16API Interceptor28x Sleep call for process: Payment details.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                • api.ipify.org/
                                Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/?format=json
                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                • api.ipify.org/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                api.ipify.orgStatement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                Payment.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                Payment Swift.docGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                https://lide.alosalca.fun/highbox#joeblow@xyz.comGet hashmaliciousHTMLPhisherBrowse
                                • 104.26.13.205
                                http://asana.wfGet hashmaliciousUnknownBrowse
                                • 172.67.74.152
                                o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 172.67.74.152
                                http://wsj.pmGet hashmaliciousNetSupport RATBrowse
                                • 104.26.12.205
                                16770075581.zipGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUSfile.exeGet hashmaliciousRisePro StealerBrowse
                                • 104.26.4.15
                                https://deebmpapst.ordineproposal.top/Get hashmaliciousUnknownBrowse
                                • 104.17.2.184
                                Statement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                https://powerpointmicrosoftoffice.top/Get hashmaliciousUnknownBrowse
                                • 104.17.3.184
                                https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:d35aec95-f365-414c-8371-68e6d7d2ec41Get hashmaliciousUnknownBrowse
                                • 104.17.28.92
                                150-425-2024.exeGet hashmaliciousFormBookBrowse
                                • 23.227.38.74
                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                Payment.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                https://usigroups-my.sharepoint.com/:o:/p/js/Es3HdUJZlbVJngCJE-Z7JCYBUTZvd1ZCMQwZhhlQoy_hDw?e=mT2aQmGet hashmaliciousHTMLPhisherBrowse
                                • 172.67.144.70
                                SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                UNIFIEDLAYER-AS-1UShttp://www.tbmuae.com/Get hashmaliciousGRQ ScamBrowse
                                • 198.57.149.230
                                Statement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 50.87.195.61
                                Quotation Order.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.254.225.166
                                DHL - OVERDUE ACCOUNT NOTICE - 1301669350.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 50.87.253.239
                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                • 192.254.225.136
                                SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 50.87.195.61
                                INQ No. HDPE-16-GM-00- PI-INQ-3001.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                • 162.240.81.18
                                DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 192.232.216.145
                                DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 192.232.216.145
                                DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 192.232.216.145

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0eStatement of Account PDF.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205
                                CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                Payment.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205
                                DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                • 104.26.13.205
                                PO-inv-CQV20(92315).exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                a.cmdGet hashmaliciousUnknownBrowse
                                • 104.26.13.205
                                http://papajoeschicago.comGet hashmaliciousUnknownBrowse
                                • 104.26.13.205
                                https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1Get hashmaliciousUnknownBrowse
                                • 104.26.13.205
                                o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment details.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\Payment details.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.868517558888531
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:Payment details.exe
                                File size:722'944 bytes
                                MD5:d88a9970ec7a11ade4a6dfc3d8150496
                                SHA1:90e72afbb1eed4c0f20fbc8a7ef5e3069ece0eef
                                SHA256:c159014c79f8dc4d7888b0c092286f9b47fb2b1497dfbfa7c0620d78257127e2
                                SHA512:54596967f17980e34528c20a2b284edcd03c02dd105d904600cb4e48816b560c201371b2f202db962a1df37dca310dd4a82ed08ab12683ccde74dd404d0a1af2
                                SSDEEP:12288:GTn3D0uf8+u0wrXN/HoX18jyU0rOcKdIXxIlmQockPZS+/I6YtMl0:Az0uf8+1wriF8grBkIhIlmQocz+/TmM
                                TLSH:7CF4124875BBAF1ACBBD93F84561146417B2A06FA2B1E30B0FC390D61E22F904E55F57
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&f................................. ........@.. .......................`............@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x4b1b1e
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x662603EC [Mon Apr 22 06:30:04 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb1acc0x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x800.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xafb240xafc0017db68ba20bb60d5487ede73af5889a7False0.92745099128734data7.878264243644894IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0xb20000x8000x800a61be7487f4798a73fbc0378f16a9cd1False0.33447265625data3.4176678192869443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xb40000xc0x200e231f7a583caf3d19355e130fe613048False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0xb20900x380data0.4296875
                                RT_MANIFEST0xb24200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 26, 2024 11:09:20.850116014 CEST49711443192.168.2.8104.26.13.205
                                Apr 26, 2024 11:09:20.850161076 CEST44349711104.26.13.205192.168.2.8
                                Apr 26, 2024 11:09:20.850243092 CEST49711443192.168.2.8104.26.13.205
                                Apr 26, 2024 11:09:20.856548071 CEST49711443192.168.2.8104.26.13.205
                                Apr 26, 2024 11:09:20.856564045 CEST44349711104.26.13.205192.168.2.8
                                Apr 26, 2024 11:09:21.119616032 CEST44349711104.26.13.205192.168.2.8
                                Apr 26, 2024 11:09:21.119796991 CEST49711443192.168.2.8104.26.13.205
                                Apr 26, 2024 11:09:21.124146938 CEST49711443192.168.2.8104.26.13.205
                                Apr 26, 2024 11:09:21.124156952 CEST44349711104.26.13.205192.168.2.8
                                Apr 26, 2024 11:09:21.124428034 CEST44349711104.26.13.205192.168.2.8
                                Apr 26, 2024 11:09:21.176373005 CEST49711443192.168.2.8104.26.13.205
                                Apr 26, 2024 11:09:21.224117041 CEST44349711104.26.13.205192.168.2.8
                                Apr 26, 2024 11:09:21.437210083 CEST44349711104.26.13.205192.168.2.8
                                Apr 26, 2024 11:09:21.437277079 CEST44349711104.26.13.205192.168.2.8
                                Apr 26, 2024 11:09:21.437318087 CEST49711443192.168.2.8104.26.13.205
                                Apr 26, 2024 11:09:21.465548038 CEST49711443192.168.2.8104.26.13.205
                                Apr 26, 2024 11:09:22.356146097 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:22.552953005 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:22.553281069 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:22.807049036 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:22.807267904 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:23.004237890 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:23.004475117 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:23.202624083 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:23.203140020 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:23.409573078 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:23.409599066 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:23.409612894 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:23.409713984 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:23.455651045 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:23.652559996 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:23.655766964 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:23.852494955 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:23.853585958 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:24.051192999 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:24.052196980 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:24.289906025 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:24.343063116 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:24.343478918 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:24.543391943 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:24.543418884 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:24.543670893 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:24.780988932 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:24.784156084 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:24.980956078 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:24.981585026 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:24.981643915 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:24.981667995 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:24.981687069 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:09:25.178258896 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:25.178287029 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:25.178411007 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:25.179145098 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:09:25.223887920 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:11:02.099368095 CEST49713587192.168.2.850.87.145.190
                                Apr 26, 2024 11:11:02.302187920 CEST5874971350.87.145.190192.168.2.8
                                Apr 26, 2024 11:11:02.302892923 CEST49713587192.168.2.850.87.145.190

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 26, 2024 11:09:20.718502045 CEST6489553192.168.2.81.1.1.1
                                Apr 26, 2024 11:09:20.844152927 CEST53648951.1.1.1192.168.2.8
                                Apr 26, 2024 11:09:22.073586941 CEST5533453192.168.2.81.1.1.1
                                Apr 26, 2024 11:09:22.355214119 CEST53553341.1.1.1192.168.2.8

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 26, 2024 11:09:20.718502045 CEST192.168.2.81.1.1.10x1f3Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                Apr 26, 2024 11:09:22.073586941 CEST192.168.2.81.1.1.10x9968Standard query (0)mail.teddyjnr.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 26, 2024 11:09:20.844152927 CEST1.1.1.1192.168.2.80x1f3No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                Apr 26, 2024 11:09:20.844152927 CEST1.1.1.1192.168.2.80x1f3No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                Apr 26, 2024 11:09:20.844152927 CEST1.1.1.1192.168.2.80x1f3No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                Apr 26, 2024 11:09:22.355214119 CEST1.1.1.1192.168.2.80x9968No error (0)mail.teddyjnr.com50.87.145.190A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • api.ipify.org

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.849711104.26.13.2054436372C:\Users\user\Desktop\Payment details.exe
                                TimestampBytes transferredDirectionData
                                2024-04-26 09:09:21 UTC155OUTGET / HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                Host: api.ipify.org
                                Connection: Keep-Alive
                                2024-04-26 09:09:21 UTC211INHTTP/1.1 200 OK
                                Date: Fri, 26 Apr 2024 09:09:21 GMT
                                Content-Type: text/plain
                                Content-Length: 15
                                Connection: close
                                Vary: Origin
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 87a56ef858fa6c87-MIA
                                2024-04-26 09:09:21 UTC15INData Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30
                                Data Ascii: 102.129.152.220


                                SMTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                Apr 26, 2024 11:09:22.807049036 CEST5874971350.87.145.190192.168.2.8220-gator3409.hostgator.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 04:09:22 -0500
                                220-We do not authorize the use of this system to transport unsolicited,
                                220 and/or bulk e-mail.
                                Apr 26, 2024 11:09:22.807267904 CEST49713587192.168.2.850.87.145.190EHLO 887849
                                Apr 26, 2024 11:09:23.004237890 CEST5874971350.87.145.190192.168.2.8250-gator3409.hostgator.com Hello 887849 [102.129.152.220]
                                250-SIZE 52428800
                                250-8BITMIME
                                250-PIPELINING
                                250-PIPECONNECT
                                250-AUTH PLAIN LOGIN
                                250-STARTTLS
                                250 HELP
                                Apr 26, 2024 11:09:23.004475117 CEST49713587192.168.2.850.87.145.190STARTTLS
                                Apr 26, 2024 11:09:23.202624083 CEST5874971350.87.145.190192.168.2.8220 TLS go ahead

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:11:09:15
                                Start date:26/04/2024
                                Path:C:\Users\user\Desktop\Payment details.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Payment details.exe"
                                Imagebase:0x1b0000
                                File size:722'944 bytes
                                MD5 hash:D88A9970EC7A11ADE4A6DFC3D8150496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:11:09:18
                                Start date:26/04/2024
                                Path:C:\Users\user\Desktop\Payment details.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Payment details.exe"
                                Imagebase:0xd50000
                                File size:722'944 bytes
                                MD5 hash:D88A9970EC7A11ADE4A6DFC3D8150496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:11.2%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:2.3%
                                  Total number of Nodes:219
                                  Total number of Limit Nodes:13
                                  execution_graph 34918 6aee1af 34922 6aef47f 34918->34922 34939 6aef480 34918->34939 34919 6aee1be 34923 6aef480 34922->34923 34934 6aef4be 34923->34934 34956 6be08de 34923->34956 34962 6be0364 34923->34962 34967 6be0406 34923->34967 34971 6be04c9 34923->34971 34975 6be0711 34923->34975 34979 6be0171 34923->34979 34983 6be0552 34923->34983 34988 6be04b4 34923->34988 34993 6be0454 34923->34993 34997 6be05d7 34923->34997 35002 6be01f8 34923->35002 35007 6be011b 34923->35007 35011 6be031c 34923->35011 35015 6be057f 34923->35015 34934->34919 34940 6aef49a 34939->34940 34941 6be08de 2 API calls 34940->34941 34942 6be057f 2 API calls 34940->34942 34943 6be031c 2 API calls 34940->34943 34944 6be011b 2 API calls 34940->34944 34945 6be01f8 2 API calls 34940->34945 34946 6be05d7 2 API calls 34940->34946 34947 6be0454 2 API calls 34940->34947 34948 6be04b4 2 API calls 34940->34948 34949 6be0552 2 API calls 34940->34949 34950 6be0171 2 API calls 34940->34950 34951 6be0711 2 API calls 34940->34951 34952 6aef4be 34940->34952 34953 6be04c9 2 API calls 34940->34953 34954 6be0406 2 API calls 34940->34954 34955 6be0364 2 API calls 34940->34955 34941->34952 34942->34952 34943->34952 34944->34952 34945->34952 34946->34952 34947->34952 34948->34952 34949->34952 34950->34952 34951->34952 34952->34919 34953->34952 34954->34952 34955->34952 34957 6be037b 34956->34957 34958 6be08f3 34956->34958 35024 6aed46f 34957->35024 35028 6aed470 34957->35028 34958->34934 34959 6be0228 34959->34934 34963 6be036a 34962->34963 34965 6aed46f ResumeThread 34963->34965 34966 6aed470 ResumeThread 34963->34966 34964 6be0228 34964->34934 34965->34964 34966->34964 35032 6aed6b8 34967->35032 35036 6aed6b3 34967->35036 34968 6be0405 34968->34967 34972 6be0405 34971->34972 34972->34971 34973 6aed6b8 WriteProcessMemory 34972->34973 34974 6aed6b3 WriteProcessMemory 34972->34974 34973->34972 34974->34972 35040 6be0dc8 34975->35040 35045 6be0dc3 34975->35045 34976 6be0730 34980 6be017d 34979->34980 34981 6aed6b8 WriteProcessMemory 34980->34981 34982 6aed6b3 WriteProcessMemory 34980->34982 34981->34980 34982->34980 34984 6be08f9 34983->34984 35058 6aed7a8 34984->35058 35062 6aed7a7 34984->35062 34985 6be01b9 34985->34934 34989 6be0676 34988->34989 35066 6aed520 34989->35066 35070 6aed51f 34989->35070 34990 6be02d3 34990->34934 34994 6be017d 34993->34994 34994->34993 34995 6aed6b8 WriteProcessMemory 34994->34995 34996 6aed6b3 WriteProcessMemory 34994->34996 34995->34994 34996->34994 34998 6be09a5 34997->34998 35000 6aed51f Wow64SetThreadContext 34998->35000 35001 6aed520 Wow64SetThreadContext 34998->35001 34999 6be09c0 35000->34999 35001->34999 35004 6be017d 35002->35004 35003 6be054c 35003->34934 35004->35003 35005 6aed6b8 WriteProcessMemory 35004->35005 35006 6aed6b3 WriteProcessMemory 35004->35006 35005->35004 35006->35004 35074 6aedd37 35007->35074 35079 6aedd40 35007->35079 35012 6be017d 35011->35012 35013 6aed6b8 WriteProcessMemory 35012->35013 35014 6aed6b3 WriteProcessMemory 35012->35014 35013->35012 35014->35012 35016 6be058c 35015->35016 35018 6be017d 35015->35018 35017 6be06b0 35016->35017 35016->35018 35020 6aed6b8 WriteProcessMemory 35017->35020 35021 6aed6b3 WriteProcessMemory 35017->35021 35022 6aed6b8 WriteProcessMemory 35018->35022 35023 6aed6b3 WriteProcessMemory 35018->35023 35019 6be02f1 35020->35019 35021->35019 35022->35018 35023->35018 35025 6aed470 ResumeThread 35024->35025 35027 6aed4e1 35025->35027 35027->34959 35029 6aed4b0 ResumeThread 35028->35029 35031 6aed4e1 35029->35031 35031->34959 35033 6aed700 WriteProcessMemory 35032->35033 35035 6aed757 35033->35035 35035->34968 35037 6aed700 WriteProcessMemory 35036->35037 35039 6aed757 35037->35039 35039->34968 35041 6be0ddd 35040->35041 35050 6aed5f8 35041->35050 35054 6aed5f3 35041->35054 35042 6be0dfc 35042->34976 35046 6be0ddd 35045->35046 35048 6aed5f8 VirtualAllocEx 35046->35048 35049 6aed5f3 VirtualAllocEx 35046->35049 35047 6be0dfc 35047->34976 35048->35047 35049->35047 35051 6aed638 VirtualAllocEx 35050->35051 35053 6aed675 35051->35053 35053->35042 35055 6aed638 VirtualAllocEx 35054->35055 35057 6aed675 35055->35057 35057->35042 35059 6aed7f3 ReadProcessMemory 35058->35059 35061 6aed837 35059->35061 35061->34985 35063 6aed7a8 ReadProcessMemory 35062->35063 35065 6aed837 35063->35065 35065->34985 35067 6aed565 Wow64SetThreadContext 35066->35067 35069 6aed5ad 35067->35069 35069->34990 35071 6aed520 Wow64SetThreadContext 35070->35071 35073 6aed5ad 35071->35073 35073->34990 35075 6aedcfe 35074->35075 35076 6aedd3b CreateProcessA 35074->35076 35075->34934 35078 6aedf8b 35076->35078 35078->35078 35080 6aeddc9 CreateProcessA 35079->35080 35082 6aedf8b 35080->35082 35082->35082 35160 8cb0f8 35164 8cb1f0 35160->35164 35172 8cb1e1 35160->35172 35161 8cb107 35165 8cb201 35164->35165 35166 8cb224 35164->35166 35165->35166 35180 8cb488 35165->35180 35184 8cb478 35165->35184 35166->35161 35167 8cb21c 35167->35166 35168 8cb428 GetModuleHandleW 35167->35168 35169 8cb455 35168->35169 35169->35161 35173 8cb201 35172->35173 35174 8cb224 35172->35174 35173->35174 35178 8cb488 LoadLibraryExW 35173->35178 35179 8cb478 LoadLibraryExW 35173->35179 35174->35161 35175 8cb21c 35175->35174 35176 8cb428 GetModuleHandleW 35175->35176 35177 8cb455 35176->35177 35177->35161 35178->35175 35179->35175 35181 8cb49c 35180->35181 35183 8cb4c1 35181->35183 35188 8cac30 35181->35188 35183->35167 35185 8cb488 35184->35185 35186 8cac30 LoadLibraryExW 35185->35186 35187 8cb4c1 35185->35187 35186->35187 35187->35167 35189 8cb668 LoadLibraryExW 35188->35189 35191 8cb6e1 35189->35191 35191->35183 35192 8cd478 35193 8cd4be GetCurrentProcess 35192->35193 35195 8cd510 GetCurrentThread 35193->35195 35199 8cd509 35193->35199 35196 8cd54d GetCurrentProcess 35195->35196 35197 8cd546 35195->35197 35198 8cd583 GetCurrentThreadId 35196->35198 35197->35196 35201 8cd5dc 35198->35201 35199->35195 35147 6be0f68 35148 6be10f3 35147->35148 35149 6be0f8e 35147->35149 35149->35148 35152 6be11e8 PostMessageW 35149->35152 35154 6be11e0 PostMessageW 35149->35154 35153 6be1254 35152->35153 35153->35149 35155 6be1254 35154->35155 35155->35149 35145 8cd6c0 DuplicateHandle 35146 8cd756 35145->35146 35083 83d01c 35084 83d034 35083->35084 35085 83d08e 35084->35085 35090 4af1e97 35084->35090 35094 4af2c08 35084->35094 35103 4af1ea8 35084->35103 35107 4af0ad4 35084->35107 35091 4af1ece 35090->35091 35092 4af0ad4 CallWindowProcW 35091->35092 35093 4af1eef 35092->35093 35093->35085 35096 4af2c18 35094->35096 35095 4af2c79 35132 4af0bfc 35095->35132 35096->35095 35098 4af2c69 35096->35098 35116 4af2e6c 35098->35116 35122 4af2da0 35098->35122 35127 4af2d92 35098->35127 35099 4af2c77 35099->35099 35104 4af1ece 35103->35104 35105 4af0ad4 CallWindowProcW 35104->35105 35106 4af1eef 35105->35106 35106->35085 35108 4af0adf 35107->35108 35109 4af2c79 35108->35109 35111 4af2c69 35108->35111 35110 4af0bfc CallWindowProcW 35109->35110 35112 4af2c77 35110->35112 35113 4af2e6c CallWindowProcW 35111->35113 35114 4af2d92 CallWindowProcW 35111->35114 35115 4af2da0 CallWindowProcW 35111->35115 35112->35112 35113->35112 35114->35112 35115->35112 35117 4af2e2a 35116->35117 35118 4af2e7a 35116->35118 35136 4af2e58 35117->35136 35139 4af2e47 35117->35139 35119 4af2e40 35119->35099 35123 4af2db4 35122->35123 35125 4af2e58 CallWindowProcW 35123->35125 35126 4af2e47 CallWindowProcW 35123->35126 35124 4af2e40 35124->35099 35125->35124 35126->35124 35128 4af2db4 35127->35128 35130 4af2e58 CallWindowProcW 35128->35130 35131 4af2e47 CallWindowProcW 35128->35131 35129 4af2e40 35129->35099 35130->35129 35131->35129 35133 4af0c07 35132->35133 35134 4af435a CallWindowProcW 35133->35134 35135 4af4309 35133->35135 35134->35135 35135->35099 35137 4af2e69 35136->35137 35142 4af4290 35136->35142 35137->35119 35140 4af2e69 35139->35140 35141 4af4290 CallWindowProcW 35139->35141 35140->35119 35141->35140 35143 4af0bfc CallWindowProcW 35142->35143 35144 4af42aa 35143->35144 35144->35137 35156 4af1cf0 35157 4af1d58 CreateWindowExW 35156->35157 35159 4af1e14 35157->35159

                                  Executed Functions

                                  Function 06BE20E8 Relevance: .4, Instructions: 395COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518997078.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6be0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: efb5f7c5ec0d4e1364088645f5eb922ae35861b0fb777f482fea5e18481e37c0
                                  • Instruction ID: 8e41288050551780c16dbf8d54fb2c0de3d4fdef2c95ef506620569ed6a9960b
                                  • Opcode Fuzzy Hash: efb5f7c5ec0d4e1364088645f5eb922ae35861b0fb777f482fea5e18481e37c0
                                  • Instruction Fuzzy Hash: 9BE1ADB1B016048FDB69DB79C850BAE77FAEF89704F1444ADE546DB290CB34DA01CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AE0BA0 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72ef9daac13ce0c855dda85c98e61a6b836f1e54f1f3d310dcbf0a517640cb27
                                  • Instruction ID: 19ebb402f814eca9681315902ea8f24d49d67c2909a35cc237f9ef125273d3b4
                                  • Opcode Fuzzy Hash: 72ef9daac13ce0c855dda85c98e61a6b836f1e54f1f3d310dcbf0a517640cb27
                                  • Instruction Fuzzy Hash: 1D514770E0121ACFDB44DFAAD8815AEBBF2FF88214F10982AE401E7354D7745A118FA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AE7B13 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d7c0e90fd47fa55b525aa5b1df846d0abe0f9171508dc45f05d19abec2ec9bb
                                  • Instruction ID: 64c13ede2e31342e8c2aa32fe650d0979386fbb19f1100dddb3cf6231af69a23
                                  • Opcode Fuzzy Hash: 5d7c0e90fd47fa55b525aa5b1df846d0abe0f9171508dc45f05d19abec2ec9bb
                                  • Instruction Fuzzy Hash: 6821E3B1D016189BEB18DFABD8457DEBBF7AF89300F04C16AD40866264DB744946CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06BE0364 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518997078.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6be0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa6b24ce1badb52c1f0d4c03a16b73d0c0f7d0f607ff25c456e763530d9ab2d9
                                  • Instruction ID: 6d35aa43351fcf4111449c30e49081f8d24e9dbf2c8c39b6082d281767554c81
                                  • Opcode Fuzzy Hash: aa6b24ce1badb52c1f0d4c03a16b73d0c0f7d0f607ff25c456e763530d9ab2d9
                                  • Instruction Fuzzy Hash: 48111C78949218CFDBA0EF94E9447F8B7B8FB4A311F0465E6C40EA2361C7B05A95CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AE7B18 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 165eab3a8d6d12080be62489b0d15224bd5b7d607e48c8daaf7e7a59520b7d37
                                  • Instruction ID: 10cc64b2d907a549c66daf8cc43e1a22d1b322b95807d8b0f8dbf53176575a8c
                                  • Opcode Fuzzy Hash: 165eab3a8d6d12080be62489b0d15224bd5b7d607e48c8daaf7e7a59520b7d37
                                  • Instruction Fuzzy Hash: AE21B4B1E046188BEB18DF9BC9447DEFAF7AFC9300F04C16AD809A6264DB740945CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06BE0211 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518997078.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6be0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c89276b7161bfbda27d9851085221135db68178131faa6132b275e75b28521e1
                                  • Instruction ID: c5e78eabcdc277c9ced7bc683321bd6ad193bbb2726c71d0e8b2cdfa5e565626
                                  • Opcode Fuzzy Hash: c89276b7161bfbda27d9851085221135db68178131faa6132b275e75b28521e1
                                  • Instruction Fuzzy Hash: 5AF0C9B4A49118CFDBA0EE64E8447F8B7B9FB49315F0124E6C40EA2261CBB04A94CE50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06BE0AA9 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518997078.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6be0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96b99b6c392c2698d7e980c67567738d9c152a6c051815972c51add359b35657
                                  • Instruction ID: c88af72b7c597119c5e4e2236e7842eece0215bfecac8e4d8ed1b7ee1b434fa5
                                  • Opcode Fuzzy Hash: 96b99b6c392c2698d7e980c67567738d9c152a6c051815972c51add359b35657
                                  • Instruction Fuzzy Hash: 13E0BFB5E4E018DFDB90BE64E8481F8B7B8EB4A316F0534E1940EE3212D77049609A64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008CD478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 008CD4F6
                                  • GetCurrentThread.KERNEL32 ref: 008CD533
                                  • GetCurrentProcess.KERNEL32 ref: 008CD570
                                  • GetCurrentThreadId.KERNEL32 ref: 008CD5C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: d289b743e8abdd6a817caaf3e7e1e663e7dc4dcd42ee844d25f0d2ee7b317eda
                                  • Instruction ID: 1c5265091a71d99d73fc0806c21207e81fedb5224514a4fd2199dc56bc6dbc7c
                                  • Opcode Fuzzy Hash: d289b743e8abdd6a817caaf3e7e1e663e7dc4dcd42ee844d25f0d2ee7b317eda
                                  • Instruction Fuzzy Hash: 9F5135B0D007098FDB14DFAAD588BDEBBF1FB88318F208459E419A7251D774A948CF66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AEDD37 Relevance: 1.8, APIs: 1, Instructions: 263processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 21 6aedd37-6aedd39 22 6aedcfe-6aedd28 21->22 23 6aedd3b-6aeddd5 21->23 26 6aede0e-6aede2e 23->26 27 6aeddd7-6aedde1 23->27 36 6aede67-6aede96 26->36 37 6aede30-6aede3a 26->37 27->26 29 6aedde3-6aedde5 27->29 30 6aede08-6aede0b 29->30 31 6aedde7-6aeddf1 29->31 30->26 34 6aeddf5-6aede04 31->34 35 6aeddf3 31->35 34->34 38 6aede06 34->38 35->34 45 6aedecf-6aedf89 CreateProcessA 36->45 46 6aede98-6aedea2 36->46 37->36 39 6aede3c-6aede3e 37->39 38->30 40 6aede40-6aede4a 39->40 41 6aede61-6aede64 39->41 43 6aede4e-6aede5d 40->43 44 6aede4c 40->44 41->36 43->43 47 6aede5f 43->47 44->43 57 6aedf8b-6aedf91 45->57 58 6aedf92-6aee018 45->58 46->45 48 6aedea4-6aedea6 46->48 47->41 50 6aedea8-6aedeb2 48->50 51 6aedec9-6aedecc 48->51 52 6aedeb6-6aedec5 50->52 53 6aedeb4 50->53 51->45 52->52 55 6aedec7 52->55 53->52 55->51 57->58 68 6aee01a-6aee01e 58->68 69 6aee028-6aee02c 58->69 68->69 70 6aee020 68->70 71 6aee02e-6aee032 69->71 72 6aee03c-6aee040 69->72 70->69 71->72 75 6aee034 71->75 73 6aee042-6aee046 72->73 74 6aee050-6aee054 72->74 73->74 76 6aee048 73->76 77 6aee066-6aee06d 74->77 78 6aee056-6aee05c 74->78 75->72 76->74 79 6aee06f-6aee07e 77->79 80 6aee084 77->80 78->77 79->80 82 6aee085 80->82 82->82
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AEDF76
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 9c6fdc0d14d4142abeccffced18385ccd555fedeadfc4c2ce2fb27544f26d8d9
                                  • Instruction ID: 62a2a3af92ab236c33fe438d3202c67f0e97b02be21d53b7a38f73a4aea4d500
                                  • Opcode Fuzzy Hash: 9c6fdc0d14d4142abeccffced18385ccd555fedeadfc4c2ce2fb27544f26d8d9
                                  • Instruction Fuzzy Hash: 03A15971D00619CFEF60EFA9C845BDEBBB2BF48310F148569E809A7240DB759985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AEDD40 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 83 6aedd40-6aeddd5 85 6aede0e-6aede2e 83->85 86 6aeddd7-6aedde1 83->86 93 6aede67-6aede96 85->93 94 6aede30-6aede3a 85->94 86->85 87 6aedde3-6aedde5 86->87 88 6aede08-6aede0b 87->88 89 6aedde7-6aeddf1 87->89 88->85 91 6aeddf5-6aede04 89->91 92 6aeddf3 89->92 91->91 95 6aede06 91->95 92->91 102 6aedecf-6aedf89 CreateProcessA 93->102 103 6aede98-6aedea2 93->103 94->93 96 6aede3c-6aede3e 94->96 95->88 97 6aede40-6aede4a 96->97 98 6aede61-6aede64 96->98 100 6aede4e-6aede5d 97->100 101 6aede4c 97->101 98->93 100->100 104 6aede5f 100->104 101->100 114 6aedf8b-6aedf91 102->114 115 6aedf92-6aee018 102->115 103->102 105 6aedea4-6aedea6 103->105 104->98 107 6aedea8-6aedeb2 105->107 108 6aedec9-6aedecc 105->108 109 6aedeb6-6aedec5 107->109 110 6aedeb4 107->110 108->102 109->109 112 6aedec7 109->112 110->109 112->108 114->115 125 6aee01a-6aee01e 115->125 126 6aee028-6aee02c 115->126 125->126 127 6aee020 125->127 128 6aee02e-6aee032 126->128 129 6aee03c-6aee040 126->129 127->126 128->129 132 6aee034 128->132 130 6aee042-6aee046 129->130 131 6aee050-6aee054 129->131 130->131 133 6aee048 130->133 134 6aee066-6aee06d 131->134 135 6aee056-6aee05c 131->135 132->129 133->131 136 6aee06f-6aee07e 134->136 137 6aee084 134->137 135->134 136->137 139 6aee085 137->139 139->139
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AEDF76
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 713fb1b143c5acd23321db388dc0531543638d1796f901bdf0e29082ae47e7f0
                                  • Instruction ID: 975f19a16e851876a4d6531f75a657ec39dbe8270cfb2a776852306e12dfeb9f
                                  • Opcode Fuzzy Hash: 713fb1b143c5acd23321db388dc0531543638d1796f901bdf0e29082ae47e7f0
                                  • Instruction Fuzzy Hash: 11917B71D00619CFEF60EF69C844BEEBBB2BF48310F148569E808A7240DB749985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008CB1F0 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 140 8cb1f0-8cb1ff 141 8cb22b-8cb22f 140->141 142 8cb201-8cb20e call 8c9bf8 140->142 144 8cb231-8cb23b 141->144 145 8cb243-8cb284 141->145 148 8cb224 142->148 149 8cb210 142->149 144->145 151 8cb286-8cb28e 145->151 152 8cb291-8cb29f 145->152 148->141 195 8cb216 call 8cb488 149->195 196 8cb216 call 8cb478 149->196 151->152 153 8cb2a1-8cb2a6 152->153 154 8cb2c3-8cb2c5 152->154 156 8cb2a8-8cb2af call 8cabd4 153->156 157 8cb2b1 153->157 159 8cb2c8-8cb2cf 154->159 155 8cb21c-8cb21e 155->148 158 8cb360-8cb420 155->158 161 8cb2b3-8cb2c1 156->161 157->161 190 8cb428-8cb453 GetModuleHandleW 158->190 191 8cb422-8cb425 158->191 162 8cb2dc-8cb2e3 159->162 163 8cb2d1-8cb2d9 159->163 161->159 166 8cb2e5-8cb2ed 162->166 167 8cb2f0-8cb2f9 call 8cabe4 162->167 163->162 166->167 171 8cb2fb-8cb303 167->171 172 8cb306-8cb30b 167->172 171->172 173 8cb30d-8cb314 172->173 174 8cb329-8cb336 172->174 173->174 176 8cb316-8cb326 call 8cabf4 call 8cac04 173->176 181 8cb338-8cb356 174->181 182 8cb359-8cb35f 174->182 176->174 181->182 192 8cb45c-8cb470 190->192 193 8cb455-8cb45b 190->193 191->190 193->192 195->155 196->155
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 008CB446
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: e71b79f1f085b44e14aed722c8ab982edc6d7e198b4dd01bc8f9504da7cbbe2f
                                  • Instruction ID: 46e9e30eb101f844280fa64bff007790737ec9113c82959840acae4ff3f90566
                                  • Opcode Fuzzy Hash: e71b79f1f085b44e14aed722c8ab982edc6d7e198b4dd01bc8f9504da7cbbe2f
                                  • Instruction Fuzzy Hash: 75713470A00B058FDB24DF6AD145B5ABBF1FF88314F108A2DE48ADBA50D774E949CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04AF1CE5 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 197 4af1ce5-4af1d56 198 4af1d58-4af1d5e 197->198 199 4af1d61-4af1d68 197->199 198->199 200 4af1d6a-4af1d70 199->200 201 4af1d73-4af1dab 199->201 200->201 202 4af1db3-4af1e12 CreateWindowExW 201->202 203 4af1e1b-4af1e53 202->203 204 4af1e14-4af1e1a 202->204 208 4af1e55-4af1e58 203->208 209 4af1e60 203->209 204->203 208->209 210 4af1e61 209->210 210->210
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AF1E02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1516921725.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4af0000_Payment details.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 8862bb96e73d50f16ae8abfc666782b861498673dc588a86695ca06eb247cdf2
                                  • Instruction ID: 0a8cf67852be56f2d8bcdffb075e34f9579d507f80075b6ba3afb221846f1de5
                                  • Opcode Fuzzy Hash: 8862bb96e73d50f16ae8abfc666782b861498673dc588a86695ca06eb247cdf2
                                  • Instruction Fuzzy Hash: 8D51AFB1D00349DFDF14CFAAC884ADEBBB5BF48310F64852AE819AB250D775A945CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04AF1CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 211 4af1cf0-4af1d56 212 4af1d58-4af1d5e 211->212 213 4af1d61-4af1d68 211->213 212->213 214 4af1d6a-4af1d70 213->214 215 4af1d73-4af1e12 CreateWindowExW 213->215 214->215 217 4af1e1b-4af1e53 215->217 218 4af1e14-4af1e1a 215->218 222 4af1e55-4af1e58 217->222 223 4af1e60 217->223 218->217 222->223 224 4af1e61 223->224 224->224
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AF1E02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1516921725.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4af0000_Payment details.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 3722f8fd3ac52e7dc174bd992d5fed458e232047df0ffcd125409086a4348597
                                  • Instruction ID: 0bac394fc219e11abc9b00b99911a0f126935e0d741b39e5bd8eba074a9f80d9
                                  • Opcode Fuzzy Hash: 3722f8fd3ac52e7dc174bd992d5fed458e232047df0ffcd125409086a4348597
                                  • Instruction Fuzzy Hash: 1441AFB1D00309DFDB14CF9AC884ADEBBB5BF48310F64852AE919AB250D775A845CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04AF0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 225 4af0bfc-4af42fc 228 4af43ac-4af43cc call 4af0ad4 225->228 229 4af4302-4af4307 225->229 237 4af43cf-4af43dc 228->237 231 4af435a-4af4392 CallWindowProcW 229->231 232 4af4309-4af4340 229->232 234 4af439b-4af43aa 231->234 235 4af4394-4af439a 231->235 238 4af4349-4af4358 232->238 239 4af4342-4af4348 232->239 234->237 235->234 238->237 239->238
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04AF4381
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1516921725.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4af0000_Payment details.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: 6c4eff09485da4c4995695b9dbf08a8114d018e645cd002e0f27853a04aeacb1
                                  • Instruction ID: 7adad35dba962b1f96c52ce046422ebd90214f56aaf285bf171bdc997f282e21
                                  • Opcode Fuzzy Hash: 6c4eff09485da4c4995695b9dbf08a8114d018e645cd002e0f27853a04aeacb1
                                  • Instruction Fuzzy Hash: F44128B4A006058FDB14CF99C888BABBBF5FF88314F248959E519A7321D774A845CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008C450C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 242 8c450c-8c5f41 CreateActCtxA 245 8c5f4a-8c5fa4 242->245 246 8c5f43-8c5f49 242->246 253 8c5fa6-8c5fa9 245->253 254 8c5fb3-8c5fb7 245->254 246->245 253->254 255 8c5fc8 254->255 256 8c5fb9-8c5fc5 254->256 258 8c5fc9 255->258 256->255 258->258
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 008C5F31
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 4f5d5eb175588fd6e16aacd70f0b36bda1ced02c49b0bec6894b8dcc61412661
                                  • Instruction ID: 14e486a06a80f5266dcac8bfa761ce4be5c31a174d8f15155d0917aa3e38c1e5
                                  • Opcode Fuzzy Hash: 4f5d5eb175588fd6e16aacd70f0b36bda1ced02c49b0bec6894b8dcc61412661
                                  • Instruction Fuzzy Hash: E541B170C01B19CFDB24CFA9C844BDEBBB5BF45304F20806AD409AB251DB756949CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008C5E74 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 259 8c5e74-8c5e79 260 8c5edc-8c5f41 CreateActCtxA 259->260 261 8c5e7b-8c5eda 259->261 263 8c5f4a-8c5fa4 260->263 264 8c5f43-8c5f49 260->264 261->260 271 8c5fa6-8c5fa9 263->271 272 8c5fb3-8c5fb7 263->272 264->263 271->272 273 8c5fc8 272->273 274 8c5fb9-8c5fc5 272->274 276 8c5fc9 273->276 274->273 276->276
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 008C5F31
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 763bb32274784c4b34f1e3fcbc66eb075c6599581a46079e65f5c1d8aa070d78
                                  • Instruction ID: c2ad92f6cfccb684fa6cabc5e7d5b73acc0a31527a2c5d0ece837290add7a40b
                                  • Opcode Fuzzy Hash: 763bb32274784c4b34f1e3fcbc66eb075c6599581a46079e65f5c1d8aa070d78
                                  • Instruction Fuzzy Hash: E841C2B0C01B19CFEB24CFA9C844BDEBBB5BF85304F24806AD409AB255DB756945CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED6B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 287 6aed6b8-6aed706 289 6aed708-6aed714 287->289 290 6aed716-6aed755 WriteProcessMemory 287->290 289->290 292 6aed75e-6aed78e 290->292 293 6aed757-6aed75d 290->293 293->292
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AED748
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: aec867ac7cd2c1b74baaeba0e0daa0a493c7c23ce1975df191593960810a2cc3
                                  • Instruction ID: 13d9010e825ee03086dbb44838c13650d74148dca6b3d2b145d237d65f5e346a
                                  • Opcode Fuzzy Hash: aec867ac7cd2c1b74baaeba0e0daa0a493c7c23ce1975df191593960810a2cc3
                                  • Instruction Fuzzy Hash: E12125759003499FDF10DFAAC885BEEBBF5FF48310F10882AE919A7240D7789941CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED6B3 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 277 6aed6b3-6aed706 279 6aed708-6aed714 277->279 280 6aed716-6aed755 WriteProcessMemory 277->280 279->280 282 6aed75e-6aed78e 280->282 283 6aed757-6aed75d 280->283 283->282
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AED748
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: da0144e019e176e1ef10c20998de80165d370912e4e8cbc00f05264c508bbcc8
                                  • Instruction ID: e60210c4bdff5ec17cacecc83ed13821242e4f50be5ee82aeb7c7fa082f6c607
                                  • Opcode Fuzzy Hash: da0144e019e176e1ef10c20998de80165d370912e4e8cbc00f05264c508bbcc8
                                  • Instruction Fuzzy Hash: FE2146759013498FDB10DFA9C884BEEBBF5FF48310F10882AE919A7240C7789951CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED7A7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 308 6aed7a7-6aed835 ReadProcessMemory 312 6aed83e-6aed86e 308->312 313 6aed837-6aed83d 308->313 313->312
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AED828
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 5c91e08b6d2e834e1f136d1b2a63e06ca04ec2b72ab322e355c871dd886db2b0
                                  • Instruction ID: 880e0db8954d12c51a1b01149a5250a9c87b87ebaad80324170551ab5f59ac74
                                  • Opcode Fuzzy Hash: 5c91e08b6d2e834e1f136d1b2a63e06ca04ec2b72ab322e355c871dd886db2b0
                                  • Instruction Fuzzy Hash: 7E211671C003499FDB10DFAAC881BEEBBF5FF48310F50842AE519A7240C7789541CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED51F Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 297 6aed51f-6aed56b 300 6aed56d-6aed579 297->300 301 6aed57b-6aed5ab Wow64SetThreadContext 297->301 300->301 303 6aed5ad-6aed5b3 301->303 304 6aed5b4-6aed5e4 301->304 303->304
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AED59E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 13f124b42835bbd4bc61c6d510d28fd5738cc29f0a3fffec63439de4d3869fa3
                                  • Instruction ID: 667bf104fa66ecb470316c7dd69a021dc0e61ab53579e866e34e10f41f5bf81d
                                  • Opcode Fuzzy Hash: 13f124b42835bbd4bc61c6d510d28fd5738cc29f0a3fffec63439de4d3869fa3
                                  • Instruction Fuzzy Hash: 14212971D003098FDB10DFAAC485BEEBBF4EF48314F54842AE419A7240DB789945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED7A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 327 6aed7a8-6aed835 ReadProcessMemory 330 6aed83e-6aed86e 327->330 331 6aed837-6aed83d 327->331 331->330
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AED828
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 5413940981d90bd1ad86e8db4cbbc71299c1b3a4c829912752cb8739b3e96514
                                  • Instruction ID: 54d9c19bbbcd19a22b4d438ec714a59f723e167ddc2cd66bdfe9361b164040aa
                                  • Opcode Fuzzy Hash: 5413940981d90bd1ad86e8db4cbbc71299c1b3a4c829912752cb8739b3e96514
                                  • Instruction Fuzzy Hash: 1F211671C003499FDB10DFAAC880BEEBBF5FF48310F50842AE519A7240C7789501CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED520 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 317 6aed520-6aed56b 319 6aed56d-6aed579 317->319 320 6aed57b-6aed5ab Wow64SetThreadContext 317->320 319->320 322 6aed5ad-6aed5b3 320->322 323 6aed5b4-6aed5e4 320->323 322->323
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AED59E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 5f731f0a36152b639c6729a63a272a9a505fd7f9648c1f8bec4fb177c597cabc
                                  • Instruction ID: 3b487df04554004eff61407ec178841a5ed0f764ef9da7654b0106ff7ccacf88
                                  • Opcode Fuzzy Hash: 5f731f0a36152b639c6729a63a272a9a505fd7f9648c1f8bec4fb177c597cabc
                                  • Instruction Fuzzy Hash: 9C212771D003098FDB10DFAAC485BEEBBF4EF88314F54842AE419A7240DB78A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008CD6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008CD747
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: e6c71943a1e2ec329b2e2875ecb39ee14d2289a651a79b12d35ab100a270c0ba
                                  • Instruction ID: e750d61ae5188f776336df9edc4106456ee1042d40f726aece09376e75875ec4
                                  • Opcode Fuzzy Hash: e6c71943a1e2ec329b2e2875ecb39ee14d2289a651a79b12d35ab100a270c0ba
                                  • Instruction Fuzzy Hash: E221C2B59003489FDB10CFAAD984ADEFBF8FB48310F14841AE918A3350D378A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008CAC30 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,008CB4C1,00000800,00000000,00000000), ref: 008CB6D2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 37f59f6cbabd3a5f04b8fb9fdce3a5df367734c42898904a9808688e6cabe000
                                  • Instruction ID: e2c8ec2012cf003ad7b32b602e71ffcf323ecdcc34c906dd43345085ec29c1e2
                                  • Opcode Fuzzy Hash: 37f59f6cbabd3a5f04b8fb9fdce3a5df367734c42898904a9808688e6cabe000
                                  • Instruction Fuzzy Hash: 7611D3B69047499FDB24CFAAC444B9EFBF8EB58310F10842EE519A7240C375A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008CB662 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,008CB4C1,00000800,00000000,00000000), ref: 008CB6D2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 3dbcf4eba3180a3c62af2932261bb5ab157ecc35a692cad8e2e6e60875a91bd2
                                  • Instruction ID: c0e0d01d36fd658f401891133cb3afc4e81af7180ccfb1d4ef238eeb0bb9110c
                                  • Opcode Fuzzy Hash: 3dbcf4eba3180a3c62af2932261bb5ab157ecc35a692cad8e2e6e60875a91bd2
                                  • Instruction Fuzzy Hash: C41112B68006498FDB10CFAAC444BDEFBF4EB88320F14841EE459A7600C374A545CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED5F3 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AED666
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: a37a540187876037bbfd27f6cc56f7d22911d7a450855716fba21b111ee77ee5
                                  • Instruction ID: bc6c0aa6a61bb282866b8bb8acf9adec248cb239ada4a15d4c6e65db863e95a1
                                  • Opcode Fuzzy Hash: a37a540187876037bbfd27f6cc56f7d22911d7a450855716fba21b111ee77ee5
                                  • Instruction Fuzzy Hash: 921126729002499FDF20DFAAC844BEEBBF5AF88310F14881AE529A7250C7759541CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED5F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AED666
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 312c90cc53f4560cd1ab9ddc652de6078f1d9dad14974b35098d23218d951fe8
                                  • Instruction ID: fe4b95faf4d3cf9259a942c81ba64c9383f4bb15605691a278f32faaf583a251
                                  • Opcode Fuzzy Hash: 312c90cc53f4560cd1ab9ddc652de6078f1d9dad14974b35098d23218d951fe8
                                  • Instruction Fuzzy Hash: 9A11F6729002499FDB10DFAAC845BDEBBF5AF48310F14881AE529A7250C775A550CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED46F Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 4a6593f7820837e59dad7f6b8ac52ec40f1774a2de0d1e455fbdf32664bb8369
                                  • Instruction ID: 3d4fdf7370f9ed277662019c85d8b33851ea8ec27e5f31d417034c41132c1540
                                  • Opcode Fuzzy Hash: 4a6593f7820837e59dad7f6b8ac52ec40f1774a2de0d1e455fbdf32664bb8369
                                  • Instruction Fuzzy Hash: 27113A71D003488FDB20DFAAC8457DFFBF8AF88214F24881AD419A7240CB796540CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AED470 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: f09b62c0701d83746baa4eb76755f0f8dc59029c6da135f17f62c5d763869a40
                                  • Instruction ID: 32fa4f7d186b93e80746294948f9eb81e0bd094d757e6878aa26f05605b5c074
                                  • Opcode Fuzzy Hash: f09b62c0701d83746baa4eb76755f0f8dc59029c6da135f17f62c5d763869a40
                                  • Instruction Fuzzy Hash: 93113A71D003488FDB20DFAAC4457DEFBF4AF88214F24881AD419A7240C7796540CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008CB3E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 008CB446
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 5ee3678968b0324c4ee6bbcba345f955f152f1aff03070a986ad1f288c5aa47f
                                  • Instruction ID: 5e7937f649cf943cc6a5f5b1121892c5a758f3b9e00d6984e2f257a8b7d79eb3
                                  • Opcode Fuzzy Hash: 5ee3678968b0324c4ee6bbcba345f955f152f1aff03070a986ad1f288c5aa47f
                                  • Instruction Fuzzy Hash: 62110FB5C006498FCB14CF9AC444BDEFBF4EF88320F10842AD429A7201C379A545CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06BE11E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 06BE1245
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518997078.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6be0000_Payment details.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: cf00c3fd56c5d475c2d55b3ecd53f07e1d0fa5178e1137612e56c3d170d2d0b6
                                  • Instruction ID: 420f4d940994585354145495d85eb7f5f7b4fc9107b4417fdafb7461a1629720
                                  • Opcode Fuzzy Hash: cf00c3fd56c5d475c2d55b3ecd53f07e1d0fa5178e1137612e56c3d170d2d0b6
                                  • Instruction Fuzzy Hash: DB1103B58002499FDB10CF9AC884BEEFBF8FB48314F20845AE569A7650C375A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06BE11E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 06BE1245
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518997078.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6be0000_Payment details.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 161be943d06fcd6d9a9540a56455d9f9e215bb6d4e7e99b980ce1634358d86c4
                                  • Instruction ID: fd720e4fc8fdbdeefc121571ae93d691c7c145815e9d9f82c7c6e77020adfe74
                                  • Opcode Fuzzy Hash: 161be943d06fcd6d9a9540a56455d9f9e215bb6d4e7e99b980ce1634358d86c4
                                  • Instruction Fuzzy Hash: 7411D0B58003499FDB10CF9AC885BDEFBF8FB48324F20885AE518A7640C375A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0082D1FC Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510379768.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_82d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc4815cbd1d0cc01982dd51eee43684860be6ff54012afed9d66bbb3fe9e78d4
                                  • Instruction ID: ef1ec37d00dc169d773e012d00af49357437cc8ea5ef5de7fdeaa55d6193bb1a
                                  • Opcode Fuzzy Hash: cc4815cbd1d0cc01982dd51eee43684860be6ff54012afed9d66bbb3fe9e78d4
                                  • Instruction Fuzzy Hash: DB21D6B1504344DFDB05DF50E9C4B26BFA5FB88314F24C569ED058B246C336E896CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0082D3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510379768.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_82d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ae5703ee34ecf719560e7b35cb5333f2f5f70203439b5b977e647e05eab1dcc4
                                  • Instruction ID: fd6a0a8fc799bfbc1325eb6040d9c91dddf5bf96739f1e1229ff6bd3bd5e5b20
                                  • Opcode Fuzzy Hash: ae5703ee34ecf719560e7b35cb5333f2f5f70203439b5b977e647e05eab1dcc4
                                  • Instruction Fuzzy Hash: E4210AB1504344EFDB05EF10E9C4B16BFA5FB94314F24C569E9098F256C336E896CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0083D1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510421126.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_83d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4dadc2307ae0788ca54708925d44dc243952287367bf3159ab943a269c89b10
                                  • Instruction ID: 58a5087d3f6b7deb55993d594ac1791a75f8cf3475268e46de24553a1bf27cf7
                                  • Opcode Fuzzy Hash: b4dadc2307ae0788ca54708925d44dc243952287367bf3159ab943a269c89b10
                                  • Instruction Fuzzy Hash: 1A21F671504344EFDB15DF60E9C0B26BBA5FBC4318F24C56DE8498B292C73AE856CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0083D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510421126.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_83d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bcac380f8a9655ae70cc939052c80199c4ac4d2e924dd7a49d87d6ba68717033
                                  • Instruction ID: 9c4f4c09161cda41324326e1eca76d285ff884bad70c00939bca8d507db430c2
                                  • Opcode Fuzzy Hash: bcac380f8a9655ae70cc939052c80199c4ac4d2e924dd7a49d87d6ba68717033
                                  • Instruction Fuzzy Hash: E1210771504744DFDB18DF20E5D4B16BBA5FBC4B18F20C56DE8498B256C33AD847CAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0082D1F7 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510379768.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_82d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 92198a4f948beed57c56698445cc2df5a183246ccdbdf080b2d23d8759be0f25
                                  • Instruction ID: b211dd5723d58d3f40b4cc504048f22ce081b2447cd4d26445f93ce4d09db4fb
                                  • Opcode Fuzzy Hash: 92198a4f948beed57c56698445cc2df5a183246ccdbdf080b2d23d8759be0f25
                                  • Instruction Fuzzy Hash: D421AFB6504240DFCB06CF50D9C4B16BF72FB84314F24C5A9DC094B656C33AE86ACBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0082D3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510379768.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_82d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
                                  • Instruction ID: 026ae0c1dfa60b21893f3f631151d6cd3f3f04a24d8a78955fb5b9b22cb1322f
                                  • Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
                                  • Instruction Fuzzy Hash: DE11D3B6504380DFDB15DF10D9C4B16BF71FB94324F24C6A9D8094B656C33AE89ACBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0083D017 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510421126.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_83d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                                  • Instruction ID: 75aecd3a0823580de38a5d84f91946ad506238447fe922706c14cc860a83be08
                                  • Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                                  • Instruction Fuzzy Hash: 9811BB75508780CFCB15CF10E5D4B15BBA2FB84718F24C6AAD8498B656C33AD84ACBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0083D1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510421126.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_83d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                                  • Instruction ID: b624ebd005256b37bb730b6b510e495d53b1b7077d57c48ffe70df55343ebdc2
                                  • Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                                  • Instruction Fuzzy Hash: 40118B75504280DFCB16DF10D5C4B16BBA2FB84318F24C6A9D8498B696C33AE85ACBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0082D745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510379768.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_82d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68fe7a5c9dbff3b97096d8d603790cb31153442057acce6b3377e092b274ef53
                                  • Instruction ID: 36f7234bc2026a63cd42a60ede996092cd6ce0f4f5a3e9b7f6bea954b25615b8
                                  • Opcode Fuzzy Hash: 68fe7a5c9dbff3b97096d8d603790cb31153442057acce6b3377e092b274ef53
                                  • Instruction Fuzzy Hash: 9C01F271008354AFE7204E25DC84B66BFD8FF81724F18C52AED088E282C37D9881CAB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0082D744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510379768.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_82d000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db31e304e7380ab41621f0646155bff906391953d14cba5fb2f6df71463b63e3
                                  • Instruction ID: eea3797acb38ee3aa93eaa6ae9cf98bba0ed2648405e9d0a24136677ce80d486
                                  • Opcode Fuzzy Hash: db31e304e7380ab41621f0646155bff906391953d14cba5fb2f6df71463b63e3
                                  • Instruction Fuzzy Hash: 81F062714083549EEB108E16D884B62FFD8EB51734F18C55AED485A286C3799844CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 04AF0040 Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1516921725.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4af0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59254e912b289ab3457f4437e8df66e49fbe6049dee562c04319475f9b8f33ee
                                  • Instruction ID: 077c57b8209caa111f644f0ecf81a3b9e8de2db5add9794344b49de6fb877732
                                  • Opcode Fuzzy Hash: 59254e912b289ab3457f4437e8df66e49fbe6049dee562c04319475f9b8f33ee
                                  • Instruction Fuzzy Hash: 9A12A3B1C81745CAEB19CF25EA5C18D3BB1B78131CBD04A19D2651E2E1EBB4126EEF4C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AEB500 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20a4bc9755c503b9ae9a2adfc315cd956205646f35eff2e6f12504e71f8004a8
                                  • Instruction ID: 98997ac447e8f2c84bcd25c8b67287c095a3ef080255b4e08bea5c86bfab328e
                                  • Opcode Fuzzy Hash: 20a4bc9755c503b9ae9a2adfc315cd956205646f35eff2e6f12504e71f8004a8
                                  • Instruction Fuzzy Hash: 48E1FA74E002198FDB14DFA9C6849AEFBB2FF89305F248169D854AB359D731AD41CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AEB0C8 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 710d0ac3fe5aef667e82565a380a244e9fd901f2c81e208c0244c4b37035c9c5
                                  • Instruction ID: 9832b98038cb83e8a82c09e8c072901b08802b201cd98a23ed220bd9419d70eb
                                  • Opcode Fuzzy Hash: 710d0ac3fe5aef667e82565a380a244e9fd901f2c81e208c0244c4b37035c9c5
                                  • Instruction Fuzzy Hash: 67E1FB74E00219CFDB14DFA9C5849AEFBB2BF89305F2481AAD814AB359D730AD41CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AEAC90 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97616a2e358ac1baee620a80fd61831f99d5309c5be81a62ecada47ae93b27c3
                                  • Instruction ID: 5756a051bcbd8ad14b1a56134a8e6f9aa08fec72c8ed8d0e3a0203665388a1f3
                                  • Opcode Fuzzy Hash: 97616a2e358ac1baee620a80fd61831f99d5309c5be81a62ecada47ae93b27c3
                                  • Instruction Fuzzy Hash: E1E1F774E002198FDB14DFA9C580AAEFBB2FF89305F2481A9D914AB359D731AD41CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AECBF8 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d213b250e152ecb557fd612dd66082591a7391cdcaa49c53e487c5cf82de43e0
                                  • Instruction ID: 9b72370633b442e843cf91340e9a8387e2facb93f85f65cb9a025a1a76f58255
                                  • Opcode Fuzzy Hash: d213b250e152ecb557fd612dd66082591a7391cdcaa49c53e487c5cf82de43e0
                                  • Instruction Fuzzy Hash: 9DE1F874E002198FDB14DFA9C580AAEFBF2BF89315F248169D815AB359D731AD41CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AEA858 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf73b8dca9b097b2a7c3d69dbe5df7cc74087873748049c1b5c0d96db0e785aa
                                  • Instruction ID: 389b6203f02395317096611f693ada8caeb989616561fb3312992fe62c5df664
                                  • Opcode Fuzzy Hash: bf73b8dca9b097b2a7c3d69dbe5df7cc74087873748049c1b5c0d96db0e785aa
                                  • Instruction Fuzzy Hash: DCE1FA74E002198FDB14DFA9C580AAEFBB2FF89305F248169D914AB359D731AD41CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 008CE034 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1510607695.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8c0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 380bce401639c39ee9df478aedbf97609fc5d789538d97dde4ff76b79455b62e
                                  • Instruction ID: 76e09f1a621f77f8046d302634003c69fb1ffffed2961a64d941b348a96a3425
                                  • Opcode Fuzzy Hash: 380bce401639c39ee9df478aedbf97609fc5d789538d97dde4ff76b79455b62e
                                  • Instruction Fuzzy Hash: 32A14B32E00619CFCF19DFA4C840A9EB7B2FF85300B15857EE905AB262DB71D916CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AE1EBF Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e73eedbe607e72185828793e465fac857b70246f94f62f5d306514dd1f71c3e
                                  • Instruction ID: 086b20544c9ed8ad746a81fd87a08bddf149224f342cb544da3593cc2f5a9ad4
                                  • Opcode Fuzzy Hash: 2e73eedbe607e72185828793e465fac857b70246f94f62f5d306514dd1f71c3e
                                  • Instruction Fuzzy Hash: 35D10631D2075ADBDB10EBA4D8906D9B3B1FF95300F60D79AE44A37215EBB06AC4CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AE1EC0 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d6c32b21d8fbe464c588d9cc30be143cab95a18308ff37eca0fb17dd9f6a74f
                                  • Instruction ID: 5a10a0f1e56114852794265518cbde06c305bce55c2f8dac700c408bbdb3549e
                                  • Opcode Fuzzy Hash: 9d6c32b21d8fbe464c588d9cc30be143cab95a18308ff37eca0fb17dd9f6a74f
                                  • Instruction Fuzzy Hash: D0D10631D2075ADBDB10EBA4D8906D9B3B1FF95300F60D79AE44A37215EBB06AC4CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04AF0023 Relevance: .2, Instructions: 233COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1516921725.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4af0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e80effe87c50ce3ce2c2d3f3aac01e024217a5cca58836a7a5b93bd10ddb4099
                                  • Instruction ID: 63837f5a6c7b273652b3abfb6fcf8cf5da4b1dad263f9a16f003074d2da80841
                                  • Opcode Fuzzy Hash: e80effe87c50ce3ce2c2d3f3aac01e024217a5cca58836a7a5b93bd10ddb4099
                                  • Instruction Fuzzy Hash: BBC148B0C81745CBDB19CF24EA5818D3BB1BB81318FD04A19D2652F2D1EBB4166EEF48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AEB4FF Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8c683965dbfa4795dde86288a0f4f2594f497c52fae01d423385f0ed23bf477
                                  • Instruction ID: 98d54ef4186573aeeb91dd1d15c0f05746635164d5a874c577ac4e5769c1b7b8
                                  • Opcode Fuzzy Hash: d8c683965dbfa4795dde86288a0f4f2594f497c52fae01d423385f0ed23bf477
                                  • Instruction Fuzzy Hash: 4751F974E002198FDB14DFA9CA845AEFBF2BF89304F2481AAD418AB315D7319941CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AEB0C3 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab1b67f0214b3957c031f1a32ff8e4ea30657c7381acd8f99be8a2ea7cf07d6f
                                  • Instruction ID: f99634dd72c664ab99032117ce8aaf38acc85ea6150f0245e8486bdb9010aec3
                                  • Opcode Fuzzy Hash: ab1b67f0214b3957c031f1a32ff8e4ea30657c7381acd8f99be8a2ea7cf07d6f
                                  • Instruction Fuzzy Hash: 3F51EC74E012198FDB14DFA9C5845AEFBF2BF89305F24C1AAD818AB315D7319941CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06AECBF3 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518880196.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ae0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0ee16cd0e5fd26a4ebf963453d928eb7dadca476debbe0caf5691632f1a5d4a
                                  • Instruction ID: dab291f46bda8af506572df784df4ad819c70597291ccda7fb055254c6945333
                                  • Opcode Fuzzy Hash: c0ee16cd0e5fd26a4ebf963453d928eb7dadca476debbe0caf5691632f1a5d4a
                                  • Instruction Fuzzy Hash: 28510975E002198FDB14DFA9C5805AEFBF2BF89314F2481AAD819AB315D7319941CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:11.9%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:196
                                  Total number of Limit Nodes:26
                                  execution_graph 30335 7482e38 30336 7483140 30335->30336 30337 7482e60 30335->30337 30338 7482e69 30337->30338 30341 74822a4 30337->30341 30340 7482e8c 30342 74822af 30341->30342 30343 7483183 30342->30343 30345 74822c0 30342->30345 30343->30340 30346 74831b8 OleInitialize 30345->30346 30347 748321c 30346->30347 30347->30343 30124 1600848 30126 160084e 30124->30126 30125 160091b 30126->30125 30128 160137f 30126->30128 30129 1601383 30128->30129 30130 1601480 30129->30130 30134 1607eb0 30129->30134 30139 1607d98 30129->30139 30149 1607d88 30129->30149 30130->30126 30135 1607eba 30134->30135 30136 1607ed4 30135->30136 30159 6dffb49 30135->30159 30165 6dffb58 30135->30165 30136->30129 30140 1607dae 30139->30140 30141 1607e5f 30140->30141 30171 1608728 30140->30171 30177 1608695 30140->30177 30183 1608691 30140->30183 30189 160868d 30140->30189 30195 1608699 30140->30195 30201 1608689 30140->30201 30207 16086d8 30140->30207 30141->30129 30150 1607dae 30149->30150 30151 1607e5f 30150->30151 30152 1608691 3 API calls 30150->30152 30153 1608695 3 API calls 30150->30153 30154 1608728 3 API calls 30150->30154 30155 16086d8 3 API calls 30150->30155 30156 1608689 3 API calls 30150->30156 30157 1608699 3 API calls 30150->30157 30158 160868d 3 API calls 30150->30158 30151->30129 30152->30150 30153->30150 30154->30150 30155->30150 30156->30150 30157->30150 30158->30150 30161 6dffb58 30159->30161 30160 6dffd82 30160->30136 30161->30160 30162 160dcd8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30161->30162 30163 160e0a1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30161->30163 30164 160dce8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30161->30164 30162->30161 30163->30161 30164->30161 30167 6dffb6d 30165->30167 30166 6dffd82 30166->30136 30167->30166 30168 160e0a1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30167->30168 30169 160dce8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30167->30169 30170 160dcd8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30167->30170 30168->30167 30169->30167 30170->30167 30172 1608741 30171->30172 30173 1608f05 30172->30173 30213 160a023 30172->30213 30218 1609f71 30172->30218 30223 1609f80 30172->30223 30173->30140 30178 1608693 30177->30178 30179 1608f05 30178->30179 30180 1609f80 3 API calls 30178->30180 30181 1609f71 3 API calls 30178->30181 30182 160a023 3 API calls 30178->30182 30179->30140 30180->30178 30181->30178 30182->30178 30184 1608693 30183->30184 30185 1608f05 30184->30185 30186 1609f80 3 API calls 30184->30186 30187 1609f71 3 API calls 30184->30187 30188 160a023 3 API calls 30184->30188 30185->30140 30186->30184 30187->30184 30188->30184 30190 1608693 30189->30190 30191 1608f05 30190->30191 30192 1609f80 3 API calls 30190->30192 30193 1609f71 3 API calls 30190->30193 30194 160a023 3 API calls 30190->30194 30191->30140 30192->30190 30193->30190 30194->30190 30196 1608693 30195->30196 30197 1608f05 30196->30197 30198 1609f80 3 API calls 30196->30198 30199 1609f71 3 API calls 30196->30199 30200 160a023 3 API calls 30196->30200 30197->30140 30198->30196 30199->30196 30200->30196 30202 1608693 30201->30202 30203 1608f05 30202->30203 30204 1609f80 3 API calls 30202->30204 30205 1609f71 3 API calls 30202->30205 30206 160a023 3 API calls 30202->30206 30203->30140 30204->30202 30205->30202 30206->30202 30208 1608693 30207->30208 30208->30207 30209 1608f05 30208->30209 30210 1609f80 3 API calls 30208->30210 30211 1609f71 3 API calls 30208->30211 30212 160a023 3 API calls 30208->30212 30209->30140 30210->30208 30211->30208 30212->30208 30214 1609ff8 30213->30214 30215 160a039 30214->30215 30228 160a06f 30214->30228 30235 160a080 30214->30235 30219 1609f9d 30218->30219 30220 160a039 30219->30220 30221 160a06f 3 API calls 30219->30221 30222 160a080 3 API calls 30219->30222 30221->30219 30222->30219 30225 1609f9d 30223->30225 30224 160a039 30225->30224 30226 160a06f 3 API calls 30225->30226 30227 160a080 3 API calls 30225->30227 30226->30225 30227->30225 30230 160a080 30228->30230 30229 160a15a 30230->30229 30242 160a190 30230->30242 30257 160a4ae 30230->30257 30272 160a198 30230->30272 30287 160a2b0 30230->30287 30237 160a09a 30235->30237 30236 160a15a 30237->30236 30238 160a190 3 API calls 30237->30238 30239 160a2b0 3 API calls 30237->30239 30240 160a198 3 API calls 30237->30240 30241 160a4ae 3 API calls 30237->30241 30238->30237 30239->30237 30240->30237 30241->30237 30245 160a1b9 30242->30245 30243 160a4dd 30243->30230 30244 160a4ea 30246 160a569 30244->30246 30247 160a190 3 API calls 30244->30247 30248 160a2b0 3 API calls 30244->30248 30249 160a198 3 API calls 30244->30249 30250 160a4ae 3 API calls 30244->30250 30245->30243 30245->30244 30253 160a190 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30245->30253 30254 160a2b0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30245->30254 30255 160a198 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30245->30255 30256 160a4ae GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30245->30256 30302 160dce8 30245->30302 30306 160dcd8 30245->30306 30246->30230 30247->30246 30248->30246 30249->30246 30250->30246 30253->30245 30254->30245 30255->30245 30256->30245 30261 160a1b9 30257->30261 30258 160a4dd 30258->30230 30259 160a569 30259->30230 30260 160a4ea 30260->30259 30268 160a190 3 API calls 30260->30268 30269 160a2b0 3 API calls 30260->30269 30270 160a198 3 API calls 30260->30270 30271 160a4ae 3 API calls 30260->30271 30261->30258 30261->30260 30262 160a190 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30261->30262 30263 160a2b0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30261->30263 30264 160a198 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30261->30264 30265 160a4ae GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30261->30265 30266 160dce8 3 API calls 30261->30266 30267 160dcd8 3 API calls 30261->30267 30262->30261 30263->30261 30264->30261 30265->30261 30266->30261 30267->30261 30268->30259 30269->30259 30270->30259 30271->30259 30275 160a1b9 30272->30275 30273 160a4dd 30273->30230 30274 160a4ea 30276 160a569 30274->30276 30277 160a190 3 API calls 30274->30277 30278 160a2b0 3 API calls 30274->30278 30279 160a198 3 API calls 30274->30279 30280 160a4ae 3 API calls 30274->30280 30275->30273 30275->30274 30281 160dce8 3 API calls 30275->30281 30282 160dcd8 3 API calls 30275->30282 30283 160a190 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30275->30283 30284 160a2b0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30275->30284 30285 160a198 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30275->30285 30286 160a4ae GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30275->30286 30276->30230 30277->30276 30278->30276 30279->30276 30280->30276 30281->30275 30282->30275 30283->30275 30284->30275 30285->30275 30286->30275 30290 160a1b9 30287->30290 30288 160a4dd 30288->30230 30289 160a4ea 30291 160a569 30289->30291 30298 160a190 3 API calls 30289->30298 30299 160a2b0 3 API calls 30289->30299 30300 160a198 3 API calls 30289->30300 30301 160a4ae 3 API calls 30289->30301 30290->30288 30290->30289 30292 160a190 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30290->30292 30293 160a2b0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30290->30293 30294 160a198 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30290->30294 30295 160a4ae GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 30290->30295 30296 160dce8 3 API calls 30290->30296 30297 160dcd8 3 API calls 30290->30297 30291->30230 30292->30290 30293->30290 30294->30290 30295->30290 30296->30290 30297->30290 30298->30291 30299->30291 30300->30291 30301->30291 30303 160dced 30302->30303 30304 160dcf7 30303->30304 30310 160e990 30303->30310 30304->30245 30307 160dcdb 30306->30307 30308 160dcf7 30306->30308 30307->30308 30309 160e990 3 API calls 30307->30309 30308->30245 30309->30308 30311 160e9a0 30310->30311 30312 160e9ae 30311->30312 30315 160edc8 30311->30315 30323 160edd8 30311->30323 30312->30304 30317 160edd8 30315->30317 30316 160ede5 30316->30312 30317->30316 30331 160e9c8 30317->30331 30319 160ee2e 30319->30312 30321 160eef6 GlobalMemoryStatusEx 30322 160ef26 30321->30322 30322->30312 30324 160eddd 30323->30324 30325 160ede5 30324->30325 30326 160e9c8 GlobalMemoryStatusEx 30324->30326 30325->30312 30328 160ee2a 30326->30328 30327 160ee2e 30327->30312 30328->30327 30329 160eef6 GlobalMemoryStatusEx 30328->30329 30330 160ef26 30329->30330 30330->30312 30332 160eeb0 GlobalMemoryStatusEx 30331->30332 30334 160ee2a 30332->30334 30334->30319 30334->30321 30348 7480c70 30349 7480cb2 30348->30349 30351 7480cb9 30348->30351 30350 7480d0a CallWindowProcW 30349->30350 30349->30351 30350->30351

                                  Executed Functions

                                  Function 06DF56A0 Relevance: 1.8, Strings: 1, Instructions: 589COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 621 6df56a0-6df56bd 622 6df56bf-6df56c2 621->622 623 6df56df-6df56e2 622->623 624 6df56c4-6df56da 622->624 625 6df571a-6df571d 623->625 626 6df56e4-6df56ea 623->626 624->623 630 6df571f-6df572c 625->630 631 6df5731-6df5734 625->631 628 6df5880-6df58ab 626->628 629 6df56f0-6df56f8 626->629 642 6df58b5-6df58b8 628->642 629->628 634 6df56fe-6df570b 629->634 630->631 632 6df573e-6df5741 631->632 633 6df5736-6df5739 631->633 636 6df5749-6df574c 632->636 637 6df5743-6df5744 632->637 633->632 634->628 639 6df5711-6df5715 634->639 640 6df574e-6df576b 636->640 641 6df5770-6df5773 636->641 637->636 639->625 640->641 643 6df577a-6df577d 641->643 644 6df5775-6df5777 641->644 646 6df58ba-6df58c1 642->646 647 6df58c2-6df58c5 642->647 648 6df577f-6df578e 643->648 649 6df5793-6df5796 643->649 644->643 652 6df58d9-6df58dc 647->652 653 6df58c7-6df58ce 647->653 648->649 650 6df5798-6df579b 649->650 651 6df57f3-6df57f9 649->651 657 6df57a1-6df57a4 650->657 658 6df5830-6df5836 650->658 651->626 659 6df57ff 651->659 655 6df58fe-6df5901 652->655 656 6df58de-6df58e2 652->656 661 6df5996-6df599d 653->661 662 6df58d4 653->662 665 6df5919-6df591c 655->665 666 6df5903-6df5914 655->666 663 6df599e-6df59dc 656->663 664 6df58e8-6df58f0 656->664 667 6df57ae-6df57b1 657->667 668 6df57a6-6df57a9 657->668 670 6df583c 658->670 671 6df57b3-6df57bd 658->671 669 6df5804-6df5807 659->669 662->652 701 6df59de-6df59e1 663->701 664->663 672 6df58f6-6df58f9 664->672 676 6df591e-6df5922 665->676 677 6df5936-6df5939 665->677 666->665 667->671 673 6df57cb-6df57ce 667->673 668->667 674 6df581a-6df581d 669->674 675 6df5809-6df580f 669->675 678 6df5841-6df5844 670->678 683 6df57c4-6df57c6 671->683 672->655 685 6df57df-6df57e2 673->685 686 6df57d0-6df57d4 673->686 687 6df581f-6df5826 674->687 688 6df582b-6df582e 674->688 675->633 682 6df5815 675->682 676->663 684 6df5924-6df592c 676->684 689 6df593b-6df5945 677->689 690 6df594a-6df594d 677->690 679 6df5846-6df585b 678->679 680 6df5860-6df5862 678->680 679->680 695 6df5869-6df586c 680->695 696 6df5864 680->696 682->674 683->673 684->663 692 6df592e-6df5931 684->692 699 6df57ee-6df57f1 685->699 700 6df57e4-6df57ed 685->700 697 6df57da 686->697 698 6df5872-6df587f 686->698 687->688 688->658 688->678 689->690 693 6df594f-6df5953 690->693 694 6df5967-6df596a 690->694 692->677 693->663 705 6df5955-6df595d 693->705 706 6df596c-6df5970 694->706 707 6df5984-6df5986 694->707 695->622 695->698 696->695 697->685 699->651 699->669 702 6df59ef-6df59f2 701->702 703 6df59e3-6df59ea 701->703 709 6df59f4-6df5a05 702->709 710 6df5a10-6df5a13 702->710 703->702 705->663 711 6df595f-6df5962 705->711 706->663 712 6df5972-6df597a 706->712 713 6df598d-6df5990 707->713 714 6df5988 707->714 721 6df5d6c-6df5d73 709->721 722 6df5a0b 709->722 715 6df5a15-6df5a26 710->715 716 6df5a31-6df5a34 710->716 711->694 712->663 717 6df597c-6df597f 712->717 713->642 713->661 714->713 715->721 725 6df5a2c 715->725 719 6df5a3f-6df5bd3 716->719 720 6df5a36-6df5a39 716->720 717->707 770 6df5d0c-6df5d1f 719->770 771 6df5bd9-6df5be0 719->771 720->719 724 6df5d22-6df5d25 720->724 728 6df5d78-6df5d7b 721->728 722->710 724->719 726 6df5d2b-6df5d2e 724->726 725->716 731 6df5d46-6df5d49 726->731 732 6df5d30-6df5d43 726->732 729 6df5d7d-6df5d8e 728->729 730 6df5d95-6df5d98 728->730 729->732 746 6df5d90 729->746 736 6df5d9a-6df5d9f 730->736 737 6df5da2-6df5da5 730->737 733 6df5d4b-6df5d5c 731->733 734 6df5d67-6df5d6a 731->734 733->709 747 6df5d62 733->747 734->721 734->728 736->737 740 6df5dbf-6df5dc1 737->740 741 6df5da7-6df5db8 737->741 742 6df5dc8-6df5dcb 740->742 743 6df5dc3 740->743 741->721 750 6df5dba 741->750 742->701 748 6df5dd1-6df5dda 742->748 743->742 746->730 747->734 750->740 772 6df5be6-6df5c19 771->772 773 6df5c94-6df5c9b 771->773 783 6df5c1e-6df5c5f 772->783 784 6df5c1b 772->784 773->770 774 6df5c9d-6df5cd0 773->774 786 6df5cd5-6df5d02 774->786 787 6df5cd2 774->787 795 6df5c77-6df5c7e 783->795 796 6df5c61-6df5c72 783->796 784->783 786->748 787->786 798 6df5c86-6df5c88 795->798 796->748 798->748
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-3993045852
                                  • Opcode ID: 0aebadb549e067b66cb5848398ee8a71dab3243546d4b0e358cd4a9de2e7a634
                                  • Instruction ID: 97f98b507c0e7275f1619b7391dc8e609147f12ea550726c007f870055eecb91
                                  • Opcode Fuzzy Hash: 0aebadb549e067b66cb5848398ee8a71dab3243546d4b0e358cd4a9de2e7a634
                                  • Instruction Fuzzy Hash: 7D22D371E20215CFDF64DBA4D8806AEBBB2FF95320F218469D905AB354DB35DC42CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF2350 Relevance: 1.5, Instructions: 1530COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e6d0b23b140597fc748989cd94328ed940288dd8cfbac5c5a737035e396eb2ea
                                  • Instruction ID: 98eb47bcad99e43e21fd9b65e3adfe86ea56fe8f083cd11ee479c782270c7fc5
                                  • Opcode Fuzzy Hash: e6d0b23b140597fc748989cd94328ed940288dd8cfbac5c5a737035e396eb2ea
                                  • Instruction Fuzzy Hash: 0CE23934E10209CFDB64DFA8C884A9DB7B2FF89310F56C5A9D509AB251DB35ED85CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF66F8 Relevance: .8, Instructions: 812COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1e3ffa47a277ff9b558ae1f33a67504e7a85b22433cf1f3f5294ccb49e93a2f
                                  • Instruction ID: 1e370159cb9162ac185062e903243aceed9b85785f6b07fd50a348f2c5e727a5
                                  • Opcode Fuzzy Hash: b1e3ffa47a277ff9b558ae1f33a67504e7a85b22433cf1f3f5294ccb49e93a2f
                                  • Instruction Fuzzy Hash: 25629C34B202449FDB54DB68D990AAEB7F2FF84310F158469E906EB791DB35EC42CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFB348 Relevance: .8, Instructions: 770COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1bc0dcf3ba3e9db2606448cf6a1df125b95eacaa79b8bca92dcf8f80fa0e1bcc
                                  • Instruction ID: 807b6d75d1187ad8c86880d673c23e996182dcccbf175aba1ca77b90789d2f2a
                                  • Opcode Fuzzy Hash: 1bc0dcf3ba3e9db2606448cf6a1df125b95eacaa79b8bca92dcf8f80fa0e1bcc
                                  • Instruction Fuzzy Hash: 92527130E202099FEF64DB68D8907AEB7B2FB89710F25852AE505EB351DB35DC41CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF7E90 Relevance: .5, Instructions: 469COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a290098bc0eb3935ab6e9ef5628f596b487871345466412e59c4e2a3f5da9db
                                  • Instruction ID: 30251fe70b9172b5a55499a9351a3187bc35c3eb086e3b2681a8fed9a243336b
                                  • Opcode Fuzzy Hash: 1a290098bc0eb3935ab6e9ef5628f596b487871345466412e59c4e2a3f5da9db
                                  • Instruction Fuzzy Hash: B2027930B102169FDB54DF68D890AAEB7F2FF84310F158569D906AB390DB35ED42CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0160EDD8 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 799 160edd8-160ede3 801 160ede5-160ee0c 799->801 802 160ee0d-160ee2c call 160e9c8 799->802 807 160ee32-160ee76 802->807 808 160ee2e-160ee31 802->808 813 160ee78-160ee7b 807->813 814 160ee7d-160ee7e 807->814 813->814 815 160ee80 814->815 816 160ee85-160ee91 814->816 815->816 818 160ee93-160ee96 816->818 819 160ee97-160eeae 816->819 821 160eeb0-160eeb4 819->821 822 160eeb5-160ef24 GlobalMemoryStatusEx 819->822 821->822 824 160ef26-160ef2c 822->824 825 160ef2d-160ef55 822->825 824->825
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2712136611.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_1600000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc6c0997431a060b5769c0af1ae7d1e0e6b0a2ec88cf2ffc86f5ad26456d3e23
                                  • Instruction ID: 1567ae8de215d7bc60ab623b4cfca7722ee4df6e1e76913c545274987219f97e
                                  • Opcode Fuzzy Hash: fc6c0997431a060b5769c0af1ae7d1e0e6b0a2ec88cf2ffc86f5ad26456d3e23
                                  • Instruction Fuzzy Hash: 0F413572D003598FDB09DFB9D80069EBBF5EFC9210F10896AD504A7380EB749845CBD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07480C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 828 7480c70-7480cac 829 7480d5c-7480d7c 828->829 830 7480cb2-7480cb7 828->830 837 7480d7f-7480d8c 829->837 831 7480cb9-7480cf0 830->831 832 7480d0a-7480d42 CallWindowProcW 830->832 838 7480cf9-7480d08 831->838 839 7480cf2-7480cf8 831->839 833 7480d4b-7480d5a 832->833 834 7480d44-7480d4a 832->834 833->837 834->833 838->837 839->838
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 07480D31
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718670485.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7480000_Payment details.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: e80ca4a8065660becfbb366e53adc139b11229cb0c89570550f67179eb6d1e20
                                  • Instruction ID: 81a32e5c7db2d630f74e7c67b966ad0515fe81930e8a2c31194bcda9831249da
                                  • Opcode Fuzzy Hash: e80ca4a8065660becfbb366e53adc139b11229cb0c89570550f67179eb6d1e20
                                  • Instruction Fuzzy Hash: D84138B4910309CFDB54DF99C848B9ABBF5FF88314F248459E519AB321D774A845CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0160E9C8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1351 160e9c8-160ef24 GlobalMemoryStatusEx 1355 160ef26-160ef2c 1351->1355 1356 160ef2d-160ef55 1351->1356 1355->1356
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0160EE2A), ref: 0160EF17
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2712136611.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_1600000_Payment details.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: 1b8b1c51a2bca374d5ace842ae1604a1d5fc88a445b4437604ceea92fccde06f
                                  • Instruction ID: 8a69d3901ea7f4bca52f7dfa38b800ff9d576f42254768609a808a26b6afb5d4
                                  • Opcode Fuzzy Hash: 1b8b1c51a2bca374d5ace842ae1604a1d5fc88a445b4437604ceea92fccde06f
                                  • Instruction Fuzzy Hash: D71114B1C046599BDB14CF9AC844BDEFBF4EF48210F10856AE818B7240D379A944CFE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0160EEA8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1359 160eea8-160eeae 1360 160eeb0-160eeb4 1359->1360 1361 160eeb5-160eeee 1359->1361 1360->1361 1362 160eef6-160ef24 GlobalMemoryStatusEx 1361->1362 1363 160ef26-160ef2c 1362->1363 1364 160ef2d-160ef55 1362->1364 1363->1364
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0160EE2A), ref: 0160EF17
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2712136611.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_1600000_Payment details.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: f46303f1ba3bf9021197d59ad4afe20236307e10e61b7683d94ae628b5c88c17
                                  • Instruction ID: 7249b652c539b9d648b65e58af85efbcbd9c67f83be677ceb355ad57f857c2db
                                  • Opcode Fuzzy Hash: f46303f1ba3bf9021197d59ad4afe20236307e10e61b7683d94ae628b5c88c17
                                  • Instruction Fuzzy Hash: 831114B1C006599FDB14CFAAC844BDEFBF4AF48220F11852AE918A7240D379A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 074822C0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1367 74822c0-748321a OleInitialize 1369 748321c-7483222 1367->1369 1370 7483223-7483240 1367->1370 1369->1370
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 0748320D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718670485.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7480000_Payment details.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 66f74d21a7c45ce62e46d0a2e7800e9419709813e9aa7f8304b834dc0e87225f
                                  • Instruction ID: 50c152e6d864543c88749417bd0a4a0f3c30e6cc572fb042ec2a4a10ebdb717f
                                  • Opcode Fuzzy Hash: 66f74d21a7c45ce62e46d0a2e7800e9419709813e9aa7f8304b834dc0e87225f
                                  • Instruction Fuzzy Hash: C51115B580474C9FDB20DFAAD844BDEFBF4EB48610F10845AE519A7300C374A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 074831B0 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1373 74831b0-74831b5 1375 74831b8-748321a OleInitialize 1373->1375 1376 748321c-7483222 1375->1376 1377 7483223-7483240 1375->1377 1376->1377
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 0748320D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718670485.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_7480000_Payment details.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 880e63f3ee37c91671a8f3121f250d737f1adb2537fc4d1f033d99a54394d40c
                                  • Instruction ID: e402aa0fc8fefe023a24cc03f475b91dee4c51ab54ef0724dbb98eda701c61b3
                                  • Opcode Fuzzy Hash: 880e63f3ee37c91671a8f3121f250d737f1adb2537fc4d1f033d99a54394d40c
                                  • Instruction Fuzzy Hash: EC1103B5C04349CFDB20DFAAD844BDEFBF4AB48620F20855AD569A7290C378A544CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFD068 Relevance: .8, Instructions: 797COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba441503e2ed8bec127be9663406f2fac7087f3a41f839ba3716291f6ad4e64f
                                  • Instruction ID: 60dd2cc4d779eddc2f4f4d064ed1dae51eb4274a175860e4ab08311793299730
                                  • Opcode Fuzzy Hash: ba441503e2ed8bec127be9663406f2fac7087f3a41f839ba3716291f6ad4e64f
                                  • Instruction Fuzzy Hash: 7A625770A1020A8FDB55EF68D580A9EB7F2FF84714B21CA68D406AF355DB35EC46CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFC2A0 Relevance: .6, Instructions: 636COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1098bf91e7a66f8c0843fd3f18bf209f20e1a2907729a75ced33d68ad9afbb77
                                  • Instruction ID: a33a04d64f58dbb2bdd025d61db62fd20f8dd33d062d1135b2ae65303baa0d0d
                                  • Opcode Fuzzy Hash: 1098bf91e7a66f8c0843fd3f18bf209f20e1a2907729a75ced33d68ad9afbb77
                                  • Instruction Fuzzy Hash: 6B326C34F202099FDB54DF68D980AAEB7F2FB88310F218569E505EB350DB79EC518B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFADE0 Relevance: .4, Instructions: 395COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a316034ea6f117ac260c1b745c385e9ed273cdf61511e0a44408fd9ee5a1ca1
                                  • Instruction ID: ee104b324fe1b4a18ec2bd267722410caebaffa70b3eb19eee5d4bc3671c5ee2
                                  • Opcode Fuzzy Hash: 7a316034ea6f117ac260c1b745c385e9ed273cdf61511e0a44408fd9ee5a1ca1
                                  • Instruction Fuzzy Hash: 2CE18E30F20209DFDF65DB68D8506AEB7B2FF85210F15852AE50AEB240DB75DC46CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFB337 Relevance: .3, Instructions: 316COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13f084a79465ffe4cfde5b54c9fbe4d7ced39475b5ca90c4f4744d9fada8207b
                                  • Instruction ID: 0c5cd65c1689d03213ace7258562c4b639c6e9a9abeb09bb882f23254b515ce4
                                  • Opcode Fuzzy Hash: 13f084a79465ffe4cfde5b54c9fbe4d7ced39475b5ca90c4f4744d9fada8207b
                                  • Instruction Fuzzy Hash: 4AB1A770F202099FEF64DB5CD4907AEB7B6EB89710F618436E509EB391CA39DC818791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFB750 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3956605b67406627b2b2096568044582dba30e46c7e48d7e4e5b5e06abbafb99
                                  • Instruction ID: 0abc9ca5e21e879bb625250d5319ca70b9af32d56afb25e364595456b1de9126
                                  • Opcode Fuzzy Hash: 3956605b67406627b2b2096568044582dba30e46c7e48d7e4e5b5e06abbafb99
                                  • Instruction Fuzzy Hash: 29A12C34E202098BDFA0DB58D480BADB7F1FB49310F25892AE559DB351DB75EC81CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF9260 Relevance: .2, Instructions: 231COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e195ae4261b2fa0a24690fdaa622a578c42da4d8af4a054584af753675f356f
                                  • Instruction ID: e124a76b0a851c8066aa91d7d2688a27a529de8bc4bd5a087fa972d255c28c15
                                  • Opcode Fuzzy Hash: 4e195ae4261b2fa0a24690fdaa622a578c42da4d8af4a054584af753675f356f
                                  • Instruction Fuzzy Hash: 12913E30F1061A8FDB94DF69D8607AEB7B6FFC5600F10856AC90AAB344EA35DD418B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF62F8 Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67618659816c45496c059718edfa36d09f716f5ae4d18dc5da44a8015ba689b4
                                  • Instruction ID: 8d6264d0cf6c23108bfd613c170919ed18e2d0de5bcd7f0f7fc446084ba944e5
                                  • Opcode Fuzzy Hash: 67618659816c45496c059718edfa36d09f716f5ae4d18dc5da44a8015ba689b4
                                  • Instruction Fuzzy Hash: BA61C471F101218BDF50AB7EC84095EBADBEFC4620B19443AD90ADB3A4DE65FD4287C5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF43A1 Relevance: .2, Instructions: 223COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31d8750e4fce535e186cdb3158a25e586ba32c0a6ebaea34d7a3de6823d011cc
                                  • Instruction ID: fdd08d6ec796f140399af4ca9fec35bb2c3c9b816858f76557104ee5d46280b1
                                  • Opcode Fuzzy Hash: 31d8750e4fce535e186cdb3158a25e586ba32c0a6ebaea34d7a3de6823d011cc
                                  • Instruction Fuzzy Hash: 55816E70B102098BDB54DFA8D4507AEBBF2EFC9700F118529E90AEB345EB75DC468B81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF46C0 Relevance: .2, Instructions: 218COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8e91341b07d53bb657d016146f26a790fd5bf262ed751345061ceebea534562e
                                  • Instruction ID: 5d1469d9fd58a3a9d8bef3ec5c958519639bd9b04b12af19da720993566f96d1
                                  • Opcode Fuzzy Hash: 8e91341b07d53bb657d016146f26a790fd5bf262ed751345061ceebea534562e
                                  • Instruction Fuzzy Hash: 36914F30E106198BDF50DF68C880BDEB7B1FF89310F208699D549AB295DB71AE85CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF46D8 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96f6a2933058fb17f3fe60e14e9b620cb563aff3afdcc087e744241aa6cb94a0
                                  • Instruction ID: ac1c0b9e836b6fb42b45fa04c93a0a7ead5f57e0a23cecbda4e7fd02db7f0698
                                  • Opcode Fuzzy Hash: 96f6a2933058fb17f3fe60e14e9b620cb563aff3afdcc087e744241aa6cb94a0
                                  • Instruction Fuzzy Hash: 4C913D30E106198BDF60DF68C880B9EB7B1FF89310F208699D549AB255DB71AE85CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFEC29 Relevance: .2, Instructions: 202COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbf8cbd266a9be0841e58d7de7cedf2cabb0db763ecc2a13bb8460c9a6271582
                                  • Instruction ID: edb2e0c971b3def3e9f02501dcf817e44d2ed431b98c80585b552242b963765d
                                  • Opcode Fuzzy Hash: dbf8cbd266a9be0841e58d7de7cedf2cabb0db763ecc2a13bb8460c9a6271582
                                  • Instruction Fuzzy Hash: 20714970A102099FDB54DBA8D980A9EBBF6FF88310F158529E509EB365DB34EC46CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFEC38 Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07a2a12f1589dbf1653e4211b8fa6423e75a467a3f6b0a824e27f992a8cb11f7
                                  • Instruction ID: ab2bbfebc2957aefd0c359e9a0c0e47d56692a01c8db549e48b211c90ef9dbf6
                                  • Opcode Fuzzy Hash: 07a2a12f1589dbf1653e4211b8fa6423e75a467a3f6b0a824e27f992a8cb11f7
                                  • Instruction Fuzzy Hash: 54713970A102099FDB54DFA8D980A9EBBF6FF88310F158469E519EB365DB30EC46CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF4C70 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb126fb867d9b82d13e4e6882f4906559681da07bb4c1e89f0ac062510527984
                                  • Instruction ID: e3ea1d8252eb282f40842aa280b5b963a97a7c1701a1648b4736b830f45d620f
                                  • Opcode Fuzzy Hash: fb126fb867d9b82d13e4e6882f4906559681da07bb4c1e89f0ac062510527984
                                  • Instruction Fuzzy Hash: 56619E71F102199FEB549FA8C8147AEBBF6FBC8700F208429E506EB395DE758C458B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF924F Relevance: .2, Instructions: 169COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a489f433f8bd2900f396e2a8b84189c0b583289f332a5a76a1da37af1a04261
                                  • Instruction ID: 2dc74582ce6df3030c6a0af6e9b30f09f61dcc68c6f5cb7470a29369753423bb
                                  • Opcode Fuzzy Hash: 1a489f433f8bd2900f396e2a8b84189c0b583289f332a5a76a1da37af1a04261
                                  • Instruction Fuzzy Hash: E3512C30F1010A9FDB94DF68D8A0B6E77F6EFC8600F10846AD90AEB344EA35DD418B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFFB49 Relevance: .2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d81fb9da09a3ff9c6af9ced560d2e7228af2ee3a1a9ea52fbc8a8ab03eaf2c0e
                                  • Instruction ID: 7925ce1b35467b4208b6e4fccff9132890bdb2d81411e3436119721e0eaea65d
                                  • Opcode Fuzzy Hash: d81fb9da09a3ff9c6af9ced560d2e7228af2ee3a1a9ea52fbc8a8ab03eaf2c0e
                                  • Instruction Fuzzy Hash: 7C51A3B4B202149BEFA45BB8D89476F365AD7C9B10F61443AE60BDB3D4CE6CCC419392
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFFB58 Relevance: .2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52988d74c79bf2834405b1898f6d98fe3018f12825f4dd1d6702fe5af8919a87
                                  • Instruction ID: bc3a9c119c21e5402a1f9b5e7574e08f0cf8cdc53373c67f604ac14df73a7e85
                                  • Opcode Fuzzy Hash: 52988d74c79bf2834405b1898f6d98fe3018f12825f4dd1d6702fe5af8919a87
                                  • Instruction Fuzzy Hash: 5551A3B4B202149BEFA45B78D89476F325AD7C9B10F61443AE60BD7394CE6CCC4193A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF4C60 Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 301bee395e5acbdc4b0a0a50a721764688601313ff14ba7b0903cdd2ef9b4afe
                                  • Instruction ID: 12f0f5404c9e93b693964bf00a1b02262c32b343bcfc698fca144d9cf531d014
                                  • Opcode Fuzzy Hash: 301bee395e5acbdc4b0a0a50a721764688601313ff14ba7b0903cdd2ef9b4afe
                                  • Instruction Fuzzy Hash: 5C418B71B102199FEB54DFA9C804B9EBBF6FBC8700F20C529E106AB395DA749C05CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF5530 Relevance: .1, Instructions: 126COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2455657985a46e8904cf2f159458083ecbc9b851b1fab3b8e18b0483cd317ba2
                                  • Instruction ID: 2dd13c0f1a85b23441be994328bde832aa17f87d3ed770bedf2dffef62f282fd
                                  • Opcode Fuzzy Hash: 2455657985a46e8904cf2f159458083ecbc9b851b1fab3b8e18b0483cd317ba2
                                  • Instruction Fuzzy Hash: FD414E71E1060A8FDF60CF99E880ABFF7B2FB94310F11892AE216D7650D730E9558B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFDBF0 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2eec71010f6d3ffc5765cc8d4665119bd5cae60d65670404b2b535b4aebb5f4d
                                  • Instruction ID: 35c27f302a4ab3cea4df4891086aad638e2e23f7ed285438c31ff4cb4953db4c
                                  • Opcode Fuzzy Hash: 2eec71010f6d3ffc5765cc8d4665119bd5cae60d65670404b2b535b4aebb5f4d
                                  • Instruction Fuzzy Hash: 3A418170E1030A9FDB64DF65D84469EBBB3BF89700F218529E905EB240EBB0D945CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFDBDD Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5ddb89e71f7196cd1f923678e06c3ca3d2d7f7783000a46d5341b56fa91e687
                                  • Instruction ID: 197c6813156088cebce66f27a1878c051b38b85b02c12d36e0f802a36fe02964
                                  • Opcode Fuzzy Hash: c5ddb89e71f7196cd1f923678e06c3ca3d2d7f7783000a46d5341b56fa91e687
                                  • Instruction Fuzzy Hash: E941B170E103099FDB64DF65C84469EBBB3FF89700F158529E901EB240EBB5D846CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF5690 Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07c1073a23fe20f1ad6739c2f89f2206d927e4e7888fe443431039a66e34edc9
                                  • Instruction ID: 3a4d579b30b63d7bcab370ce865dec21b11c2e03075acd668f234b2c0032d158
                                  • Opcode Fuzzy Hash: 07c1073a23fe20f1ad6739c2f89f2206d927e4e7888fe443431039a66e34edc9
                                  • Instruction Fuzzy Hash: FE419634E20205CFDB648B69E4C0B6EFBB2FB55320F65C96AD655C7291C634DC41CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF21B5 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88943e0878da3ba2c0a70e2420dcf272a4b135e4d992e6caecdb23359630d1a4
                                  • Instruction ID: 5071abf74639e8fb79d9df415b278a6b584dbe0e62c6c19511e95b4018e428a1
                                  • Opcode Fuzzy Hash: 88943e0878da3ba2c0a70e2420dcf272a4b135e4d992e6caecdb23359630d1a4
                                  • Instruction Fuzzy Hash: 1331CE70B202069FDBA89FB4D41466E7BE2BB89710F158578D502EB380DF36CD45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF21C8 Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26913a0d45bbb7c8e1ffcb5690ab7ee935d599e1a73292d540d27ef858b3a544
                                  • Instruction ID: 14439d97b52357f42ec1db3815e5c04b6a8183d876073f753f1ea541e5b0996f
                                  • Opcode Fuzzy Hash: 26913a0d45bbb7c8e1ffcb5690ab7ee935d599e1a73292d540d27ef858b3a544
                                  • Instruction Fuzzy Hash: 9E31BE70B202069FDB689BB4D4547AE7BE6BB89710F24842CD506EB384DF36CD41CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFDA90 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9af96f060c82b9fd137fcdea9c9d74bbf9f39f15ede4186ef6e46fa43df808e5
                                  • Instruction ID: 157bad445bed62d426ac318a50e059a6a03a6fec43553a944c85ce18ef79824a
                                  • Opcode Fuzzy Hash: 9af96f060c82b9fd137fcdea9c9d74bbf9f39f15ede4186ef6e46fa43df808e5
                                  • Instruction Fuzzy Hash: 6831A530E203199BDF15DF68D98069EB7F2FF85714F108929E501EB200EB71E946CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF2078 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4e2baf57fe1693caed495336c6536378bad8e241e412203d5134520fe73a8e5
                                  • Instruction ID: c2c4be052205c7d32404ada445cc1eb784571bcf536088e72c52f0a5559bb34a
                                  • Opcode Fuzzy Hash: b4e2baf57fe1693caed495336c6536378bad8e241e412203d5134520fe73a8e5
                                  • Instruction Fuzzy Hash: F1319C74E206059FCB49CFA8D89469EB7B2FF89300F10C529E916EB750DB71AD42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF2088 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 659ebc5a0e5712fc1bd8d5d9fd02f86788e4bf7f87bbf68838d2c3814a978fe9
                                  • Instruction ID: 61b51d55e404d172d80a2578a428eefcbbc433a2135e3fb8e96ff0961a4cbde1
                                  • Opcode Fuzzy Hash: 659ebc5a0e5712fc1bd8d5d9fd02f86788e4bf7f87bbf68838d2c3814a978fe9
                                  • Instruction Fuzzy Hash: FC318F74E206059BCB59CFA8D89469EB7B2FFC9300F10C529E916EB350DB71AD42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF3BA1 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a60b7710ebb7b1fa7041c1423db099be50b3a6d27b969ce24fa28effe0f4256
                                  • Instruction ID: bc23c8f364456b9a58f028473b7704b6b5b19514234f104c0bc2a3abd111cf4f
                                  • Opcode Fuzzy Hash: 3a60b7710ebb7b1fa7041c1423db099be50b3a6d27b969ce24fa28effe0f4256
                                  • Instruction Fuzzy Hash: 90219F75F106159FDB40CF69D890BAEB7F1EB48710F128029EA05E7380E739D8508B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF3BB0 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 80267ac43e8dd7daf6be91d5b310d450c68f9ea7561d2c6d7f43fa02a89e38dd
                                  • Instruction ID: 315fc9875510df620fcdb09dcac437620f6f5e332b88e7524b61f6066e7d904e
                                  • Opcode Fuzzy Hash: 80267ac43e8dd7daf6be91d5b310d450c68f9ea7561d2c6d7f43fa02a89e38dd
                                  • Instruction Fuzzy Hash: 3D218E75F206159FDB50CF69D890AAEBBF1FB48710F128069EA05E7380E739DC508B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 013DD044 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2711657673.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_13dd000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c59f1bbfe8078b7ea500a1365ccfa89a6bacfbb3f1a79b475787645336b01a0a
                                  • Instruction ID: f6bf3d84998cc1d8103f081daa0f81790f0ee1b9d7a384e0fd33788d2f137331
                                  • Opcode Fuzzy Hash: c59f1bbfe8078b7ea500a1365ccfa89a6bacfbb3f1a79b475787645336b01a0a
                                  • Instruction Fuzzy Hash: F22134B2504304EFDB11CFA4E8C0B26BBA5FBC4318F20C56DE9490B682C736D447CA62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF3CC0 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f22fec256aea85956dee4fb0112b20b25be0f71a6bcc49fbf7be5b3d04402fd9
                                  • Instruction ID: 0a1b4ad56fd747fa43ff1a7622fd34ffd7bcb1b95cbe6a9b016864a8aa625d81
                                  • Opcode Fuzzy Hash: f22fec256aea85956dee4fb0112b20b25be0f71a6bcc49fbf7be5b3d04402fd9
                                  • Instruction Fuzzy Hash: 6A116535B205298FDF949B68DC146AE77FAEBC9210F028539D506E7340EE35DC0287D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF4300 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbd39bba11a8e8d3b7f54f7444096b8cc680754dda790199d0fcd28afc344637
                                  • Instruction ID: d02173fd72ac6fc6abcc35f1881923897bb4d75279253bbf75c44e2b3b652e4f
                                  • Opcode Fuzzy Hash: fbd39bba11a8e8d3b7f54f7444096b8cc680754dda790199d0fcd28afc344637
                                  • Instruction Fuzzy Hash: 79018F36B101215BDBA09B6DDC4476FB3DAEBCAA20F148879E20ECB346DE65DC064391
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFEEA9 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3314fa92a65f86652b60bd756eeb3f9e29369cea257a3f58ba42cec852c644c
                                  • Instruction ID: 2e9331fd46573697bd1457b0ffa9947e8e17eabc48b5bcc6949b6469922a8869
                                  • Opcode Fuzzy Hash: a3314fa92a65f86652b60bd756eeb3f9e29369cea257a3f58ba42cec852c644c
                                  • Instruction Fuzzy Hash: F1016235B200116BDBA49B7CAC54B6F73D6EBC9A14F158879FA0EC7350EE15EC024399
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF3978 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c2d9ecd02208d9e308c1e4b14881a86197b8872051c329e450f312da04df760
                                  • Instruction ID: 67661816c1f4d08015a8363d8f4b7d56a15e8c5c035f025251ccc19acb880fe6
                                  • Opcode Fuzzy Hash: 8c2d9ecd02208d9e308c1e4b14881a86197b8872051c329e450f312da04df760
                                  • Instruction Fuzzy Hash: AC21CFB5D11259AFCB10CF9AD885ACEFBF4FB48310F11812AE918A7340D374A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 013DD03F Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2711657673.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_13dd000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                                  • Instruction ID: f8ea110fcaf6b3c4bfdc7669784d17de7e789db1921c3bf59464b2113e4a9409
                                  • Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                                  • Instruction Fuzzy Hash: 9D11DD76504284CFCB12CF64D9C4B15BFB2FB84318F24C6A9E8494B692C33AD44ACF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF3980 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a8eb9578494582adc2a260b972a7c67ee41175ffdcf49c7b17827c77a8d9c86
                                  • Instruction ID: 669301721131f06e4e1175a565b56ac9b20289c471408b726ccc8dfb7965a505
                                  • Opcode Fuzzy Hash: 1a8eb9578494582adc2a260b972a7c67ee41175ffdcf49c7b17827c77a8d9c86
                                  • Instruction Fuzzy Hash: FC11BDB5D01259AFDB10DF9AD884ADEFBF8FB48310F11812AE918A7340C374A954CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF4310 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d88686cb771e8115fb96c32b7cabbde82b12e6b4cc024adbcb0b073f2a82ba3
                                  • Instruction ID: b0b5f67f3063d5f8945bbba96b5f38f2b9e046442dc6804cd342e8529d31cb13
                                  • Opcode Fuzzy Hash: 5d88686cb771e8115fb96c32b7cabbde82b12e6b4cc024adbcb0b073f2a82ba3
                                  • Instruction Fuzzy Hash: 0F018136B201115BDBA49B6DD854B2FB3DAEBC9A20F108839E20EC7345DE65DC024391
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFA418 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 82126690d67419fdc0f5ae5f61fdd6c59b8f48b17a9a7f52e54994677f0549a5
                                  • Instruction ID: 93c18cd2cc50868ba84ec03b56bec4f4f1562c1e828799092912986dc2f016f7
                                  • Opcode Fuzzy Hash: 82126690d67419fdc0f5ae5f61fdd6c59b8f48b17a9a7f52e54994677f0549a5
                                  • Instruction Fuzzy Hash: A9014F31B205249BDBA0DB6CE854B6A73E6E7C9624F50C539F20EC7390EF25DC468791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFEEB8 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1cfd288cf64c37c75c7f19291d80a53c2f255e313db384f6c537795133ec955
                                  • Instruction ID: 697114c8946951fdb631614b6f4e74ead1343d4d383b5db19027bbf086ac2da9
                                  • Opcode Fuzzy Hash: d1cfd288cf64c37c75c7f19291d80a53c2f255e313db384f6c537795133ec955
                                  • Instruction Fuzzy Hash: 8701AF35B200116BDBA4D77CA850B2F73D6EBCAA24F11887AF60EC7350EE26DC024395
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF3CAF Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fec6f8b9ed1420206fb7579d9be976b6522bc8d5a11c99b24c62066b3e0b3db9
                                  • Instruction ID: 4ac52153d24ea61591fbe6ee28be0e9f3339ec1a59ed9ad64daf4fa6ec7343cb
                                  • Opcode Fuzzy Hash: fec6f8b9ed1420206fb7579d9be976b6522bc8d5a11c99b24c62066b3e0b3db9
                                  • Instruction Fuzzy Hash: 45018435B210294BDB949B68DC547EE3BAAEBC8710F06853AD506E7280EE25CC1A47D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFA428 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29ecdda049775901ef963cb3d3563a44614afaf04722c73dfb3dc2ddf0f6fcd4
                                  • Instruction ID: 3223339b1e539139a9764fb9275bdc63fba87fb15325273739db9a542f725e86
                                  • Opcode Fuzzy Hash: 29ecdda049775901ef963cb3d3563a44614afaf04722c73dfb3dc2ddf0f6fcd4
                                  • Instruction Fuzzy Hash: FC011D35B205249FDBA0DB6CE854B2A73E6EBC9624F50C539E20ED7390EE25DC418791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DFC8F8 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 236e05fe262be4bd7ec4a517124db98b949110c7967af70bc1f220f9645a576a
                                  • Instruction ID: 1094796401c95955e95f76e1607f003d4c7c41fa77a9df0316c6c89d0461d281
                                  • Opcode Fuzzy Hash: 236e05fe262be4bd7ec4a517124db98b949110c7967af70bc1f220f9645a576a
                                  • Instruction Fuzzy Hash: B7F0A036F302289BDB189A65EC00AABB37AE784261F014479EE01E7340DA75AC1087C0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF83D7 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50ed24540e23d87d78d11c5c7fef1876007c2029d4879eb869cb63e9879d4caf
                                  • Instruction ID: 3509086aa2aa9f782096f47b1881a2ade72f5cc157a6848383e810217a3168b5
                                  • Opcode Fuzzy Hash: 50ed24540e23d87d78d11c5c7fef1876007c2029d4879eb869cb63e9879d4caf
                                  • Instruction Fuzzy Hash: C3F0E231E20124DFDF65CF80E5402A9B7BAEB08311F1A80B1CA04E3180D338CA42EB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF6578 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31dea077d167ef86a06613f51b5e74aba67a837770647e4bc2f7bb786298f492
                                  • Instruction ID: 40f851bab8f04552f38e4e92806d7f14861a8786ab71788f0d4a07573aecc7c7
                                  • Opcode Fuzzy Hash: 31dea077d167ef86a06613f51b5e74aba67a837770647e4bc2f7bb786298f492
                                  • Instruction Fuzzy Hash: 17F0EC71D343845FDF50CF70C80575A7779DB01228F12CA95F544DB286D176C9018B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06DF6588 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.2718244440.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_6df0000_Payment details.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 301c899a5d4a2e3cdd65fe6ed4a6f340da405dc9257c1a701abb07c909ebb7ed
                                  • Instruction ID: c65d8397b435637115e44441ee5f97e3e35c5236ca39e0881f6c6cacf4288299
                                  • Opcode Fuzzy Hash: 301c899a5d4a2e3cdd65fe6ed4a6f340da405dc9257c1a701abb07c909ebb7ed
                                  • Instruction Fuzzy Hash: 21E0C270E30148ABDF90DFB0CA0576A73BDDB41208F2289A4E508DB346E172DA018780
                                  Uniqueness

                                  Uniqueness Score: -1.00%